Since April 2026, phishing emails carrying photo-themed ZIP attachments have been used to deliver a Node.js implant to hotel front-desk machines across Europe and Asia, Microsoft reports — a campaign that blends credentialed email delivery, multi-hop redirects, and an uncommon runtime for malware.
The lure: "Booking Manager (via Calendly)" and reputational pressure
Microsoft says the emails arrive with the display name "Booking Manager (via Calendly)" and subjects that do not name a recipient or property, a sign the messages are high-volume and list-driven rather than narrowly targeted. The lures — written primarily in Japanese, with Danish and Dutch also seen — push urgent, reputation-focused themes: guest complaints, bedbug infestations, room inquiries, health inspections and stay reviews, including complaints framed as final warnings or threatened inspections.
Delivery chain and authentication laundering
Microsoft describes a multi-hop delivery that authors call "authentication laundering." Operators send messages through Calendly's email notification system so the mail legitimately passes SPF, DKIM and DMARC checks. From there, recipients are walked through a Calendly link, a share.google redirect and a Google redirect to a freshly registered, Cloudflare-fronted .cfd domain. That final domain sits behind a Cloudflare Turnstile challenge that doubles as an anti-analysis barrier.
Execution: IMG-*.lnk and Node.js v24.13.0
Clicking the final link downloads photo-<numbers>.zip. Inside are shortcut files masquerading as images — names seen by Microsoft include IMG-<numbers>.png.lnk in the first wave and PHOTO-<numbers>.png.lnk in the second. Opening the shortcut launches PowerShell. The script uses BigInt arithmetic to decode a hidden download URL, fetches a .ps1 into %TEMP%, and then drops a legitimate Node.js v24.13.0 runtime from nodejs.org into user space so the JavaScript implant can run without a system-wide Node installation.
TonRAT, blockchain lookups and post-compromise behavior
The JavaScript implant tracked as TonRAT resolves command-and-control domains through the TON blockchain API and then opens an encrypted WebSocket channel, according to SOC Prime. TonRAT fetches domains on the fly, a technique that reduces the effectiveness of static blocklists. After compromise, Microsoft observed beaconing to fixed IPs over non-standard ports: 8443, 8445, 8453, 5555, and 56001–56003. Some infected hosts also displayed headless browser automation parameters (--headless --no-sandbox), an ip-api.com geolocation check, and a forced shutdown invoked as cmd /c shutdown -s -t 0. Microsoft has not reported confirmed data theft, ransomware, or named victims.
Remediation pitfalls: dual persistence and where to look
Microsoft warns that full cleanup requires addressing both persistence vectors. Investigators must remove the RunOnce entry pointing into ProgramData and the Node.js Run key, and delete the runtime and .js files under AppData\\Local\\Nodejs. Removing only one persistence path leaves the other intact. Microsoft recommends first examining reception, reservations and front-office systems — the intended targets of the booking-themed lures.
What this means for hotel technologists, security teams, and procurement leaders
- Hotel technologists and front-desk IT: prioritize inspection of reception and reservation endpoints for the RunOnce entry, Node.js Run key, and files under AppData\\Local\\Nodejs; assume that a seemingly legitimate email sent via Calendly can still be malicious.
- Security operations teams: treat mail that passes SPF/DKIM/DMARC as authenticated for sender identity but not for intent; analyze multi-hop redirect chains (share.google and Google redirect) and Cloudflare-fronted domains behind Turnstile challenges.
- Procurement and platform owners: note the abuse of Calendly's notification system and Google's redirect service in this campaign when assessing third-party email and URL handling services used by staff workflows.
SOC Prime and ITOCHU had documented the same LNK-to-PowerShell-to-Node.js chain about two weeks before Microsoft's advisory, and Microsoft says its findings align with that reporting. Booking-themed phishing aimed at hotel staff is a recurring pattern: previous campaigns such as ClickFix dropped PureRAT to steal Booking.com credentials. What remains unsettled in the current wave is the operators' end goal — Microsoft notes the access appears durable, cleanup is easy to get wrong, and a final payload has not been pinned down. That combination, the company argues, is enough to treat this as more than another booking-themed phish.
Source: https://thehackernews.com/2026/06/microsoft-warns-of-photo-zip-phishing.html
