Hackers establish their persistence in the hospitality industry and hotels by posing as guests with poisoned ZIP archives, but no one knows what their plan is.

Microsoft Threat Intelligence warns of a phishing campaign targeting hotel staff in Europe and Asia with emails themed around customer complaints.
Attackers abuse services like Calendly and Google Redirects to bypass authentication controls, delivering photo-themed ZIPs that install a persistent Node.js implant.
Malware disables Defender, runs C2 markup, collects system information, and forces shutdowns; signs include unusual PowerShell activity, Node.js running, and suspicious registry entries

Hackers are gaining a foothold in hotels and hospitality organizations across Europe and Asia, but no one really knows why, at least not yet.

This is according to Microsoft Threat Intelligence, which recently released a new report indicating that since April it has been monitoring an active phishing campaign. In this campaign, anonymous attackers target front desk, front desk, and reservations staff with emails regarding guest complaints, room conditions, bedbug infestations, reservation requests, and more.

The messages, sent in different languages (Danish, Dutch, Japanese), are not broadcast directly. Instead, scammers abuse legitimate services like Calendly and Google’s redirect infrastructure, which helps them pass SPF, DKIM, and DMARC authentication checks.

Deceptive defender

This “authentication laundering,” as Microsoft puts it, results in photo-themed ZIP archives reaching their victims directly. The archives contain fake image shortcut (.LNK) files which, at first glance, appear to be harmless .PNG images. However, these files initiate a sophisticated, multi-step infection chain that installs a persistent implant based on Node.js.

After being deployed, the malware modifies Microsoft Defender to exclude itself (and other randomly named executables) from scanned processes, downloads additional payloads, and copies itself to different locations.

On compromised systems, Microsoft observed that the malware executed command-and-control markup, collecting environmental information such as details of the victim’s public IP address, launching headless browser sessions, and in some cases forcing immediate system shutdowns. While it’s not possible to specify what the goal of the campaign is, it all points to a reconnaissance stage that typically precedes a more disruptive malware or ransomware attack.

Microsoft recommends that organizations focus on detecting campaign behavior rather than individual metrics. Key signs include photo-themed ZIP archives, unusual PowerShell activity, unexpected Node.js execution from user profile directories, PowerShell-initiated .NET compilation, and Defender exclusion changes.

Additionally, there are random executables running from temporary folders, suspicious Run and RunOnce registry entries, outgoing connections on non-standard campaign ports, connections to newly registered .cfd domains, and combinations of headless browser activities followed by force shutdown commands.