Since April 2026, a sophisticated phishing campaign has been targeting hotels and hospitality organizations across Europe and Asia. The attackers employ deceptive emails with photo-themed ZIP attachments to deploy a Node.js-based malware implant, aiming to compromise front-desk systems.
The phishing emails are crafted to appear as legitimate communications from booking managers, referencing guest complaints, bedbug infestations, room inquiries, health inspections, and stay reviews. These messages are sent in multiple languages, including Japanese, Danish, and Dutch, with Japanese being the most prevalent. The generic nature of the subject lines suggests a broad, high-volume distribution rather than targeted spear-phishing attempts.
To enhance credibility and bypass security measures, the attackers utilize legitimate services such as Calendly’s email notification system and Google’s URL redirect service. This technique, referred to as authentication laundering, allows the phishing emails to pass standard email authentication protocols like SPF, DKIM, and DMARC, as they originate from authorized infrastructure. However, these protocols verify the sender’s legitimacy, not the content’s intent.
The attack chain involves multiple redirections: recipients are led from a Calendly link through Google’s URL shortening service to a newly registered, Cloudflare-protected domain with a .cfd extension. This domain employs a Turnstile challenge to deter automated analysis. Upon clicking through, the victim downloads a file named ‘photo-
Executing this shortcut triggers a PowerShell script that decodes a concealed download URL using BigInt arithmetic. The script then downloads a PowerShell file to the %TEMP% directory and installs a legitimate Node.js runtime (version 24.13.0) from nodejs.org into the user’s local environment. This setup allows the execution of a JavaScript-based implant without requiring a system-wide Node.js installation.
The malware, identified as TonRAT, resolves its command-and-control (C2) domains through the TON blockchain API and establishes an encrypted WebSocket channel for communication. This dynamic domain resolution method complicates static blocklisting efforts. Post-compromise, the implant communicates with fixed IP addresses over non-standard ports (e.g., 8443, 8445, 8453, 5555, 56001-56003). Some infected systems exhibit headless browser automation, geolocation checks via ip-api.com, and forced shutdown commands.
Effective remediation requires addressing both persistence mechanisms: the RunOnce registry entry pointing to ProgramData and the Node.js Run key, along with removing the Node.js runtime and associated JavaScript files located in AppData\Local\Nodejs. Failing to eliminate both components may result in reinfection. Priority should be given to inspecting reception, reservations, and front office systems.
Similar booking-themed phishing campaigns targeting hotel staff have been documented previously, including incidents involving ClickFix campaigns that deployed PureRAT to steal Booking.com credentials. However, the specific objectives of the current campaign remain unclear. The attackers’ use of durable access methods and the ease of reinfection underscore the need for heightened vigilance and comprehensive security measures within the hospitality sector.
