hotel phishing campaign
Your front desk receives an email. It looks like it came from Calendly. The display name says "Booking Manager." The subject mentions a guest complaint. There's a link to view photos.
Your staff clicks it. They download a ZIP file. They open what looks like an image. It's not an image. It's a shortcut that installs a Node.js backdoor.
The attack on hotels and other businesses in the hospitality industry by a phisher using zip attachments of photos began in April 2026 in Europe and Asia. It uses the Node.js implant via the ZIP attachments of photos.
The malware is very deep in the system in the reception area. What the attackers want remains a mystery.
The Lure: Hotel-Specific Temptation
The phishing attack against hotels employs lures that directly target hotel operations. The email addresses bear the display name "Booking Manager (via Calendly)."
The subjects are:
1. Complaints from customers
2. Bed bug infestations
3. Concerns regarding rooms
4. Inspections
5. People’s experiences during their stay
It’s reputation-based pressure. Complaints. Warnings. Inspection threats. Hotel workers are taught to take these seriously.
The lures come in Japanese, Danish, and Dutch, with Japanese being the most common. The subject lines name no recipient or property. This points to high-volume, list-driven sending rather than tailored spear phishing.
Authentication Laundering: The Delivery Trick
The hotel phishing campaign uses a clever delivery mechanism that Microsoft calls authentication laundering. The operators route messages through Calendly's email notification system and Google's URL redirect service.
Emails sent through the direct Calendly path pass SPF, DKIM, and DMARC. They really are sent from authorized infrastructure. The security checks confirm the sender is allowed to send. They say nothing about what the message is for.
The multi-hop chain walks the victim from:
1. A Calendly link
2. Through share.google
3. A Google redirect
4. To a freshly registered, Cloudflare-fronted .cfd domain
That domain sits behind a Turnstile challenge that doubles as anti-analysis. It filters out automated scanners and researchers.
The Infection Chain
Click through, and the target downloads a file named photo-<numbers>.zip. Inside is a shortcut posing as an image. The first wave used IMG-<numbers>.png.lnk. The second wave used PHOTO-<numbers>.png.lnk.
Opening the shortcut fires PowerShell. The script uses BigInt arithmetic to decode a hidden download URL. It pulls another PowerShell script to %TEMP%. That script drops a legitimate Node.js v24.13.0 runtime from nodejs.org into user space. No system-wide Node install is needed.
The implant is tracked as TonRAT. It resolves its C2 domains through the TON blockchain API, then opens an encrypted WebSocket channel. Fetching domains on the fly makes static blocklists less useful.
What the Malware Does
After the compromise, the implant beaconed to fixed IPs over non-standard ports:
8443
8445
8453
5555
56001 to 56003
Some hosts also showed:
1. Headless browser automation (--headless --no-sandbox)
2. An ip-api.com geolocation check
3. A forced shutdown via cmd /c shutdown -s -t 0
The full capabilities of the hotel phishing campaign's implant are still being analyzed. What is clear is that the attackers have persistent access to front-desk machines.
Why This Matters
Hotels are unique targets. Front-desk machines handle:
1. Guest check-ins and check-outs
2. Credit card processing
3. Booking platform credentials
4. Guest personal information
5. Room access systems
A compromise at the front desk is a compromise of the entire guest experience. The attackers can see everything that happens at check-in.
The hotel phishing campaign has not been attributed to a known threat actor. The operators' end goal is still unclear. Microsoft has not reported confirmed data theft, ransomware, or named victims.
Remediation: Hit Both Persistence Paths
Full remediation of the hotel phishing campaign has to hit both persistence paths:
1. The RunOnce entry pointing into ProgramData
2. The Node.js Run key under AppData\Local\Nodejs
Pulling one leaves the other alive. The runtime and .js files under AppData\Local\Nodejs must also be removed.
Reception, reservations, and front office systems are the first places to look.
Similar Campaigns
The hotel phishing campaign is not brand new. Researchers documented the same hotel phishing and the LNK-to-PowerShell-to-Node.js chain about two weeks earlier.
Booking-themed phishing aimed at hotel staff has been a recurring pattern. Previous campaigns included ClickFix operations that dropped PureRAT to steal Booking.com logins.
The Unanswered Question
What none of the reports can answer yet is what these operators want. The access is durable. The cleanup is easy to get wrong. The final payload has not been pinned down.
That is enough to treat this as more than another booking-themed phish.
What to Do
If you run a hotel or hospitality organization, take these steps:
1. Train front desk staff to recognize booking-themed phishing emails
2. Block LNK files at the email gateway
3. Monitor for Node.js installations in user space
4. Check for RunOnce entries pointing to ProgramData
5. Look for Node.js Run keys under AppData\Local\Nodejs
6. Review outbound connections to non-standard ports (8443, 8445, 8453, 5555, 56001-56003)
7. Monitor for headless browser processes
The Bottom Line
The hotel phishing campaign is active, targeted, and designed to bypass email security. Calendly and Google redirects. LNK files disguised as images. Node.js implants running in user space. TON blockchain C2 resolution.
The attackers know how hotels work. They know what front desk staff will click. And they have built an implant that is hard to detect and hard to remove.
Check your front desk machines. Look for Node.js in user space. And ask yourself: when was the last time you verified a guest complaint before clicking the link?
FAQ Section
What is the hotel phishing campaign?
It is an active phishing campaign targeting hotels and hospitality organizations across Europe and Asia. Attackers use photo-themed ZIP files to drop a Node.js implant.
How does the attack work?
The email comes through Calendly and Google redirects. The victim downloads a ZIP file containing an LNK file posing as an image. Opening it installs Node.js and the TonRAT implant.
What is authentication laundering?
This is where attackers use legitimate services such as Calendly to deliver emails to their target. The email goes through SPF, DKIM, and DMARC since they were sent through an authorized source.
What is TonRAT?
TonRAT is a Node.js payload which uses TON blockchain API to resolve its C2 domains and creates encrypted WebSockets connections.
How do I solve the problem?
Remove the RunOnce entry from the Registry Key linked to ProgramData and Node.js Run registry key in AppData\Local\Nodejs. Delete the runtime and .js files.
Which sectors face the attacks?
Hotel and hospitality industry.
