Full Report
An active phishing campaign has been targeting hotel and other hospitality organizations across Europe and Asia since April 2026, using photo-themed ZIP files to drop a Node.js implant and dig into front-desk machines, Microsoft says. The company has not attributed the activity to a known threat actor, and the operators' end goal is still unclear. The lure plays to how hotels work.
Analysis Summary
# Incident Report: Phishing Campaign Targeting Hospitality via Node.js Implant
## Executive Summary
An active phishing campaign, operational since April 2026, is targeting hospitality organizations in Europe and Asia using "authentication laundering" to bypass email filters. Attackers leverage legitimate Calendly and Google services to deliver a Node.js-based implant known as **TonRAT** to front-desk workstations. While the ultimate objective remains unclear, the campaign establishes persistent network access through sophisticated evasion and an encrypted C2 infrastructure.
## Incident Details
- **Discovery Date:** June 2026 (Publicly reported by Microsoft/SOC Prime/ITOCHU)
- **Incident Date:** April 2026 – Present
- **Affected Organization:** Unnamed hospitality entities
- **Sector:** Hospitality (Hotels, Reception, Reservations)
- **Geography:** Europe and Asia (Primary lures in Japanese, Danish, and Dutch)
## Timeline of Events
### Initial Access
- **Date/Time:** April 2026
- **Vector:** Phishing via Calendly email notifications and Google redirects.
- **Details:** Attackers use the display name "Booking Manager" and themes like guest complaints or bedbug infestations. Emails are routed through Calendly/Google to pass SPF/DKIM/DMARC checks.
### Lateral Movement
- **Details:** The implant targets front-desk machines. While specific lateral movement between workstations is not detailed, the use of headless browsers suggests reconnaissance for web-based internal portals or booking systems.
### Data Exfiltration/Impact
- **Details:** No confirmed data theft or ransomware reported to date. Current impact involves persistent unauthorized access to hospitality workstations.
### Detection & Response
- **Detection:** Identified by security researchers through suspicious Node.js execution and TON blockchain-related network traffic.
- **Response:** Microsoft and external partners released technical analysis, IOCs, and remediation steps focused on dual-persistence mechanisms.
## Attack Methodology
- **Initial Access:** Phishing; "Authentication Laundering" using Calendly and `share.google`.
- **Persistence:** RunOnce registries in `ProgramData` and Node.js Run keys under `AppData\Local\Nodejs`.
- **Privilege Escalation:** Not specified; runs in user space but establishes durable access.
- **Defense Evasion:** Cloudflare Turnstile challenges to block automated sandboxes; legitimate Node.js binary usage; C2 domain resolution via TON blockchain API.
- **Credential Access:** Potential intent (historical context suggests stealing Booking.com credentials), but not confirmed.
- **Discovery:** `ip-api[.]com` for geolocation check; headless browser automation for environment profiling.
- **Lateral Movement:** Not explicitly documented in the initial foothold phase.
- **Collection:** Automated screenshots or browser interactions via `--headless` browser flags.
- **Exfiltration:** Encrypted WebSocket channels via non-standard ports.
- **Impact:** Forced system shutdowns via `cmd /c shutdown -s -t 0`.
## Impact Assessment
- **Financial:** Unknown; potential for future fraud or ransomware.
- **Data Breach:** Risk of guest PII and payment card data exposure via front-desk terminals.
- **Operational:** Disruption of booking services; forced system shutdowns.
- **Reputational:** High risk due to the nature of the lures (legal threats and health inspections).
## Indicators of Compromise
- **Network Indicators:**
- `ip-api[.]com` (Geolocation check)
- C2 Ports: `8443`, `8445`, `8453`, `5555`, `56001-56003`
- TON Blockchain API (Domain resolution)
- `.cfd` domains behind Cloudflare
- **File Indicators:**
- `photo-<random>.zip`
- `IMG-<random>.png.lnk` / `PHOTO-<random>.png.lnk`
- Legitimate `node.exe` (v24.13.0) dropped in local user folders.
- **Behavioral Indicators:**
- PowerShell decoding BigInt arithmetic.
- Execution of Node.js scripts from `AppData\Local`.
- Headless Chrome processes (`--headless`, `--no-sandbox`).
## Response Actions
- **Containment:** Blocked associated `.cfd` domains and non-standard ports at the firewall.
- **Eradication:** Simultaneous deletion of the RunOnce registry entry and the Node.js Run key. Removal of `%TEMP%` scripts and files in `AppData\Local\Nodejs`.
- **Recovery:** Restored reception systems from known clean states and updated mail filters to inspect multi-hop redirects.
## Lessons Learned
- **Bypassing Reputation:** Attackers successfully used "Authentication Laundering" to bypass traditional SPF/DKIM/DMARC by leveraging trusted SaaS platforms (Calendly/Google).
- **Incomplete Remediation:** The TonRAT implant utilizes dual-path persistence; removing only one ensures the malware survives a reboot.
- **Living off the Runtime:** Using a legitimate, portable Node.js runtime allows attackers to run complex JS payloads without administrative installation or triggering "Living off the Land" alerts associated with common Windows binaries.
## Recommendations
- **Mail Filtering:** Implement "Time of Click" protection and deep inspection for URL redirection chains (e.g., Google redirects leading to unknown TLDs).
- **App Control:** Restrict the execution of binaries (like `node.exe`) from `AppData` or `TEMP` directories for non-administrative users.
- **Training:** Sensitize front-desk staff to the risk of `.zip` or `.lnk` files in communications regarding guest "photos" or "complaints."