- Microsoft Threat Intelligence warns of a phishing campaign targeting hotel staff in Europe and Asia with guest complaint‑themed emails
- Attackers abuse services like Calendly and Google redirects to bypass authentication checks, delivering photo‑themed ZIPs that install a persistent Node.js implant
- Malware disables Defender, runs C2 beaconing, gathers system info, and forces shutdowns; signs include unusual PowerShell activity, Node.js execution, and suspicious registry entries
Hackers are establishing a foothold on hotels and hospitality organizations across Europe and Asia, but no one really knows what for, at least not yet.
This is according to Microsoft Threat Intelligence, who recently published a new report saying that since April, it’s been tracking an active phishing campaign. In this campaign, the unnamed attackers target front desk, reception, and reservations staff with emails about guest complaints, room conditions, bedbug infestations, booking inquiries, and similar.
The messages, sent in different languages (Danish, Dutch, Japanese), are not distributed directly. Instead, the crooks abuse legitimate services such as Calendly, and Google’s redirect infrastructure, which helps them pass SPF, DKIM, and DMARC authentication checks.
Tricking Defender
This “authentication laundering”, as Microsoft puts it, results in photo-themed ZIP archives making their way directly to their victims. The archives contain a fake image shortcut (.LNK) files that, at a glance, appear to be harmless .PNG images. However, these files launch a sophisticated multi-stage infection chain that installs a persistent Node.js-based implant.
After being deployed, the malware tweaks Microsoft Defender to exclude itself (and other, randomly named executables) from scanned processes, downloads additional payloads, and copies itself into different places.
On compromised systems, Microsoft observed the malware running command-and-control beaconing, gathering environmental information such as the victim's public IP details, launching headless browser sessions, and in some cases forcing immediate system shutdowns. While it could not say what the goal of the campaign is, it all points to a reconnaissance stage that usually comes before a more disruptive malware or ransomware attack.
Microsoft recommends organizations focus on detecting the campaign's behavior rather than individual indicators. Key signs include photo-themed ZIP archives, unusual PowerShell activity, unexpected Node.js execution from user profile directories, .NET compilation initiated by PowerShell, and Defender exclusion changes.
Furthermore, there are random executables running from temporary folders, suspicious Run and RunOnce registry entries, outbound connections on the campaign's non-standard ports, connections to newly registered .cfd domains, and combinations of headless browser activity followed by forced shutdown commands.
➡️ Read our full guide to the best antivirus
1. Best overall:
Bitdefender Total Security
2. Best for families:
Norton 360 with LifeLock
3. Best for mobile:
McAfee Mobile Security
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds.