Microsoft identified a phishing campaign targeting hotels across Europe and Asia that leverages ZIP files containing a Node.js implant. The campaign uses specialized email tactics to bypass security measures and exploit hotel operational themes, highlighting a significant security concern in the hospitality sector.
An active phishing campaign has been ongoing since April 2026, primarily targeting hotels and hospitality organizations in Europe and Asia. The campaign employs ZIP files disguised as photo attachments to deliver a Node.js implant known as TonRAT.
The phishing emails, marked with the display name 'Booking Manager (via Calendly)', create a sense of urgency around various complaints and inspections, pressuring recipients to act quickly.
The phishing emails are crafted to bypass security measures by routing through Calendlyβs email system, utilizing authentication laundering to appear legitimate. This multi-hop chain redirects recipients from a Calendly notification through Google services to a malicious domain, ultimately allowing the download of a ZIP file.
The downloaded file contains a shortcut that launches PowerShell upon opening, leading to the execution of the Node.js implant without requiring a system-wide installation.
The implant TonRAT is notable for resolving its command and control (C2) domains through the TON blockchain API, making it difficult to track or block via traditional static methods. After infection, the implant communicates over non-standard ports and can execute various automated tasks on compromised systems.
This technique undermines conventional security measures that rely on static blocklists, demonstrating the evolving sophistication of phishing threats within the hospitality sector.
β¨ This summary was generated by AI from the outlets' reporting listed below. It is not independently verified and may contain errors β check the original sources. How BrevFeed works β
Microsoft identified a phishing campaign targeting hotels across Europe and Asia that leverages ZIP files containing a Node.js implant. The campaign uses specialized email tactics to bypass security measures and exploit hotel operational themes, highlighting a significant security concern in the hospitality sector.