Microsoft is warning of an ongoing phishing campaign targeting hotels and hospitality organizations across Europe and Asia, where attackers are using convincing booking-related emails to infect front-desk systems with a Node.js-based remote access implant. Active since at least April 2026, the operation relies on social engineering themes such as guest complaints, health inspections, room inquiries, and negative reviews to pressure hotel employees into opening malicious attachments.
To increase credibility, the attackers abuse legitimate services including Calendly and Google redirect links, allowing phishing emails to pass standard authentication checks such as SPF, DKIM, and DMARC. Victims are guided through a chain of trusted domains before downloading a ZIP archive containing what appears to be an image file but is actually a disguised Windows shortcut (.LNK). Opening the file silently launches a PowerShell script that installs a portable Node.js runtime and executes a JavaScript-based implant known as TonRAT.
Researchers say the malware communicates with attacker-controlled infrastructure using encrypted WebSocket connections while resolving command-and-control domains through the TON blockchain, making traditional domain blocking less effective. The implant establishes persistence through multiple Windows registry locations and can survive incomplete cleanup efforts. Investigators also observed signs of browser automation, geolocation checks, and system shutdown commands, although Microsoft has not confirmed data theft, ransomware deployment, or the attackers’ ultimate objective.
The campaign demonstrates how threat actors continue to refine phishing operations by combining trusted cloud services, authentication laundering, and legitimate software components to bypass email security and endpoint defenses. Microsoft advises hospitality organizations to closely monitor reception and reservation systems, remove all persistence mechanisms during remediation, and remain vigilant against booking-related emails containing unexpected ZIP archives or image attachments.
