Hackers are establishing persistence in hospitality and hotels by posing as guests with poisoned ZIP archives, but no…

Microsoft Threat Intelligence warns of a phishing campaign targeting hotel staff in Europe and Asia with guest complaint‑themed emails

Attackers abuse services like Calendly and Google redirects to bypass authentication checks, delivering photo‑themed ZIPs that install a persistent Node.js implant

Malware disables Defender, runs C2 beaconing, gathers system info, and forces shutdowns; signs include unusual PowerShell activity, Node.js execution, and suspicious registry entries

Hackers are establishing a foothold on hotels and hospitality organizations across Europe and Asia, but no one really knows what for, at least not yet.

This is according to Microsoft Threat Intelligence, who recently published a new report saying that since April, it’s been tracking an active phishing campaign. In this campaign, the unnamed attackers target front desk, reception, and reservations staff with emails about guest complaints, room conditions, bedbug infestations, booking inquiries, and similar.

The messages, sent in different languages (Danish, Dutch, Japanese), are not distributed directly. Instead, the crooks abuse legitimate services such as Calendly, and Google’s redirect infrastructure, which helps them pass SPF, DKIM, and DMARC authentication checks.

Tricking Defender

This “authentication laundering”, as Microsoft puts it, results in photo-themed ZIP archives making their way directly to their victims. The archives contain a fake image shortcut (.LNK) files that, at a glance, appear to be harmless .PNG images. However, these files launch a sophisticated multi-stage infection chain that installs a persistent Node.js-based implant.

After being deployed, the malware tweaks Microsoft Defender to exclude itself (and other, randomly named executables) from scanned processes, downloads additional payloads, and copies itself into different places.

On compromised systems, Microsoft observed the malware running command-and-control beaconing, gathering environmental information such as the victim's public IP details, launching headless browser sessions, and in some cases forcing immediate system shutdowns. While it could not say what the goal of the campaign is, it all points to a reconnaissance stage that usually comes before a more disruptive malware or ransomware attack.

Microsoft recommends organizations focus on detecting the campaign's behavior rather than individual indicators. Key signs include photo-themed ZIP archives, unusual PowerShell activity, unexpected Node.js execution from user profile directories, .NET compilation initiated by PowerShell, and Defender exclusion changes.

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Furthermore, there are random executables running from temporary folders, suspicious Run and RunOnce registry entries, outbound connections on the campaign's non-standard ports, connections to newly registered .cfd domains, and combinations of headless browser activity followed by forced shutdown commands.

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds.

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.