An active phishing campaign has been targeting hotel and other hospitality organizations across Europe and Asia since April 2026. This ongoing operation uses photo-themed ZIP files to drop a **Node.js** implant, aiming to compromise front-desk machines. **Microsoft**, which has been tracking this activity, has not yet attributed the campaign to a known threat actor, and the operators' end goal is still under investigation. ### The Lure: Exploiting Hotel Operations The phishing emails are cleverly designed to exploit the operational nature of hotels. They appear with the display name "Booking Manager (via Calendly)" and reference common hotel concerns such as guest complaints, bedbug infestations, room inquiries, health inspections, and stay reviews. Lures have been observed in Japanese, Danish, and Dutch, with Japanese being the most prevalent. The generic subject lines, lacking specific recipient or property names, suggest a high-volume, list-driven approach rather than tailored spear phishing. The urgency is often reputational, citing complaints, final warnings, or threatened inspections. ### Authentication Laundering: A New Evasion Tactic The delivery mechanism is particularly noteworthy. Operators route messages through **Calendly**'s email notification system and **Google**'s URL redirect service, a technique **Microsoft** has termed **authentication laundering**. Emails sent via the direct **Calendly** path successfully pass **SPF**, **DKIM**, and **DMARC** checks because they genuinely originate from authorized infrastructure. These checks confirm the sender's legitimacy but say nothing about the message's malicious intent. A multi-hop chain then guides the victim from a **Calendly** link, through `share.google`, and a **Google** redirect, to a freshly registered, **Cloudflare**-fronted `.cfd` domain. This domain is protected by a **Turnstile** challenge, which also serves as an anti-analysis measure. ### The Payload: From LNK to TonRAT Upon clicking through, the target downloads a file named `photo-<numbers>.zip`. Inside this archive is a shortcut posing as an image, initially `IMG-<numbers>.png.lnk` in the first wave, and later `PHOTO-<numbers>.png.lnk` in the second.  Executing this shortcut triggers a **PowerShell** script. This script uses **BigInt** arithmetic to decode a hidden download URL, retrieves a `.ps1` file to `%TEMP%`, and then drops a legitimate **Node.js v24.13.0** runtime from `nodejs.org` into the user's space. This runtime then executes the **JavaScript** implant, eliminating the need for a system-wide **Node.js** installation. The implant is tracked as **TonRAT**. It resolves its Command and Control (C2) domains through the **TON blockchain API** and subsequently establishes an encrypted **WebSocket** channel, as reported by **SOC Prime**. This on-the-fly domain fetching renders static blocklists less effective. ### Post-Compromise Activity and Remediation Following a successful compromise, the implant beacons to fixed IP addresses over non-standard ports, including 8443, 8445, 8453, 5555, and 56001 to 56003. Some compromised hosts have also exhibited headless browser automation (`--headless --no-sandbox`), an `ip-api.com` geolocation check, and a forced shutdown via `cmd /c shutdown -s -t 0`. As of now, **Microsoft** has not reported confirmed data theft, ransomware deployment, or named victims. Effective remediation requires addressing both persistence paths: the **RunOnce** entry pointing into `ProgramData` and the **Node.js Run** key, in addition to the runtime and `.js` files located under `AppData\Local\Nodejs`. Neglecting one path will leave the other active. Priority should be given to reception, reservations, and front office systems during investigation. This campaign is not entirely new. **SOC Prime** and **ITOCHU** previously documented similar hotel phishing tactics and the **LNK-to-PowerShell-to-Node.js** infection chain approximately two weeks prior to **Microsoft**'s report, with findings aligning across these analyses. Booking-themed phishing targeting hotel staff has been a recurring pattern, including **ClickFix** campaigns that deployed **PureRAT** to steal **Booking.com** credentials. While the full scope and ultimate intent of these operators remain unknown, the durable access gained and the nuanced cleanup required elevate this beyond a typical booking-themed phishing attempt. IT security professionals in the hospitality sector should remain vigilant and implement robust email security and endpoint detection measures.