threat-wire
Hotel Phishing Campaign Hides a Node.js Implant in Photo ZIP Files
Microsoft is tracking an active phishing campaign that has hit hotels across Europe and Asia since April, using photo-themed ZIP files to plant a Node.js implant on front-desk computers. The emails pass every standard authentication check because they are routed through real Calendly and Google infrastructure. Any business with a public booking inbox is a plausible target.
By SecureBusinessHub Editorial, International cybersecurity desk — · 5 min read
Microsoft says a phishing crew has spent the past two months breaking into hotels. The campaign has run since April 2026 across Europe and Asia, and it leans on something every hotel has: a public inbox that has to open attachments from strangers. The lure is a complaint about a guest stay, a bedbug report, or a threatened health inspection. The attachment is a ZIP of photos. Open it and a Node.js implant quietly takes up residence on the reception computer.
Why the emails pass every check
The clever part is delivery. The operators send their messages through Calendly's real notification system and Google's URL redirect service. Because the mail genuinely leaves authorised infrastructure, it passes SPF, DKIM, and DMARC. Microsoft calls the trick authentication laundering. Those checks only confirm that a sender is allowed to send. They say nothing about what the message is for, so a clean pass here means very little.
From the Calendly link the victim is walked through share.google and a Google redirect to a freshly registered .cfd domain sitting behind Cloudflare. A Turnstile challenge guards the final page, which both looks legitimate and stops automated security scanners from ever seeing the payload. The display name on the mail reads 'Booking Manager (via Calendly)', and the lures arrived in Japanese, Danish, and Dutch, with Japanese the most common.
What the ZIP actually drops
Inside the archive is a shortcut dressed as an image, named something like IMG-4821.png.lnk. Opening it runs PowerShell, which decodes a hidden download address, pulls a script into the temp folder, and downloads a genuine Node.js v24.13.0 runtime from nodejs.org into the user's own profile. No administrator rights and no system-wide install are needed. That runtime then executes the JavaScript implant, which researchers track as TonRAT.
TonRAT finds its command servers in an unusual way. It resolves them through the TON blockchain API, then opens an encrypted WebSocket channel. Looking up its servers on the fly makes static blocklists close to useless. Once running, it has been seen beaconing to fixed addresses over odd ports, launching a headless browser, checking the host's location through ip-api.com, and in some cases forcing an immediate shutdown. Microsoft has not seen confirmed data theft or ransomware yet, and it has not pinned down what the operators are ultimately after.
- Look on reception, reservations, and front-office PCs for a Node.js runtime and .js files under AppData\Local\Nodejs that nobody installed on purpose.
- Check the registry for two persistence entries: a RunOnce value pointing into ProgramData and a Run key that launches Node.js. Remove one and leave the other, and the implant survives.
- Hunt for outbound connections to non-standard ports 8443, 8445, 8453, 5555, and 56001 to 56003, which the implant used to beacon home.
- Treat any 'photo-####.zip' that contains a file ending in .png.lnk as hostile. A real image never ends in .lnk.
Closing the gap on a booking inbox
Staff who handle bookings cannot stop opening attachments, so the defence has to assume a convincing lure will land. Two habits help most. First, treat a passing SPF or DMARC result as meaningless on its own, because this campaign passes all three. Second, block shortcut files inside archives at the mail gateway, and tell front-desk staff that an image which needs a double click to open is not an image. If a machine is found infected, rebuild it rather than trusting a cleanup, because the two persistence paths are easy to miss.
A green tick on email authentication tells you the sender is real, not that the message is safe.