Ethical Hacking News
A highly sophisticated phishing campaign has been targeting hotel chains and hospitality organizations across Europe and Asia, utilizing photo-themed ZIP files to deliver a Node.js implant. Microsoft warns that the campaign's tactics, technique, and procedures (TTPs) are equally impressive, involving authentication laundering techniques and a multi-hop chain that routes messages through Calendly's email notification system and Google's URL redirect service. The potential impact of this attack is undeniable, highlighting the need for organizations to remain vigilant in protecting themselves against such threats.
Microsoft has warned of a highly sophisticated phishing campaign targeting hotel chains and hospitality organizations in Europe and Asia, starting in April 2026. The attack uses photo-themed ZIP files to deliver a Node.js implant, compromising front-desk machines and potentially allowing attackers to access sensitive information. The origin of the campaign is unclear, but it's believed to be complex and have unknown motivations. The phishing emails are cleverly designed, referencing guest complaints and hotel operations to pique interest and avoid detection. The attack uses authentication laundering techniques to evade SPF, DKIM, and DMARC checks. The Node.js implant, tracked as TonRAT, beacons to fixed IPs and resolves C2 domains through the TON blockchain API. The campaign's potential impact is significant, with widespread confusion and compromised systems possible due to the lures' focus on hotel operations.
Microsoft has sounded an alarm, warning of a highly sophisticated phishing campaign targeting hotel chains and hospitality organizations across Europe and Asia. The attack, which began in April 2026, utilizes photo-themed ZIP files to deliver a Node.js implant, compromising front-desk machines and potentially allowing attackers to dig into sensitive information.
The phishing campaign's origin is unclear, with Microsoft stating that it has not attributed the activity to a known threat actor. However, it is evident that the operators' end goal remains unknown, leaving experts scrambling to understand the motivations behind this complex attack. The lure used in the phishing emails is cleverly designed, playing on how hotels operate by referencing guest complaints, bedbug infestations, room inquiries, health inspections, and stay reviews.
The campaign's tactics, technique, and procedures (TTPs) are equally impressive. Phishing emails carry a display name of "Booking Manager (via Calendly)" and reference sensitive topics to pique the interest of potential victims. The lures came in Japanese, Danish, and Dutch, with Japanese being the most common language used. Notably, the subject lines do not mention any recipient or property, suggesting high-volume list-driven sending rather than targeted spear phishing.
The delivery mechanism is equally intriguing, involving a multi-hop chain that routes messages through Calendly's email notification system and Google's URL redirect service. This authentication laundering technique allows emails sent directly through Calendly to pass SPF, DKIM, and DMARC checks, while the message content remains ambiguous. The subsequent redirection through share.google and a Google redirect leads the victim to download a file named photo-.zip.
Upon opening the file, PowerShell is fired, allowing the script to use BigInt arithmetic to decode a hidden download URL. This process then pulls a .ps1 file to %TEMP% and installs a legitimate Node.js v24.13.0 runtime from nodejs.org into user space. The JavaScript implant, tracked as TonRAT, resolves its C2 domains through the TON blockchain API before opening an encrypted WebSocket channel.
The aftermath of this attack is equally concerning. After compromising a system, the implant beacons to fixed IPs over non-standard ports, including 8443, 8445, 8453, 5555, and 56001 to 56003. Some compromised hosts also exhibit headless browser automation (--headless --no-sandbox), an ip-api.com geolocation check, and a forced shutdown via cmd /c shutdown -s -t 0.
While Microsoft has not confirmed any data theft, ransomware, or named victims, the campaign's potential impact is undeniable. The lures' focus on hotel operations makes it difficult to distinguish between legitimate and malicious communications, potentially leading to widespread confusion and compromised systems.
Interestingly, this attack bears resemblance to previous Booking-themed phishing campaigns, including ClickFix campaigns that dropped PureRAT to steal Booking.com logins. However, the addition of a Node.js implant and authentication laundering techniques has taken the campaign to new heights.
In conclusion, this sophisticated phishing campaign serves as a reminder of the evolving nature of cyber threats. As attackers continually adapt and refine their tactics, it is essential for organizations to remain vigilant and implement robust security measures to protect themselves against such attacks.
Related Information:
https://www.ethicalhackingnews.com/articles/A-Sophisticated-Phishing-Campaign-Unpacking-the-Photo-ZIP-Malware-Attack-Targeting-Hotel-Chains-ehn.shtml
https://thehackernews.com/2026/06/microsoft-warns-of-photo-zip-phishing.html
Published: Fri Jun 26 06:07:07 2026 by llama3.2 3B Q4_K_M
