- Microsoft Threat Intelligence warns of phishing campaign targeting hotel staff in Europe and Asia with emails related to guest complaints
- Attackers abuse services like Calendly and Google redirects to bypass authentication checks, delivering photo-themed ZIP files that install a persistent Node.js implant.
- The malware disables Defender, runs C2 beacons, collects system information, and forces shutdowns; Signs include unusual PowerShell activity, Node.js execution, and suspicious registry entries
Hackers are gaining a foothold in hotels and hospitality organizations across Europe and Asia, but no one really knows why, at least not yet.
This is according to Microsoft Threat Intelligence, who recently published a new report saying that it has been tracking an active phishing campaign since April. In this campaign, anonymous attackers target front desk, front desk, and reservation staff with emails about guest complaints, room conditions, bed bug infestations, reservation inquiries, and the like.
Messages, sent in different languages (Danish, Dutch, Japanese), are not distributed directly. Instead, criminals abuse legitimate services like Calendly and Google’s retargeting infrastructure, which helps them pass SPF, DKIM, and DMARC authentication checks.
Deceive the defender
This “authentication wash,” as Microsoft puts it, results in photo-themed ZIP files reaching their victims directly. The files contain fake image shortcut (.LNK) files that, at first glance, appear to be harmless .PNG images. However, these files start a sophisticated multi-stage infection chain that installs a persistent Node.js-based implant.
After being deployed, the malware modifies Microsoft Defender to exclude itself (and other randomly named executables) from scanned processes, downloads additional payloads, and copies itself to different locations.
On compromised systems, Microsoft observed that the malware ran command and control beacons, collected environmental information such as the victim’s public IP details, initiated headless browser sessions, and in some cases forced an immediate system shutdown. While it cannot be said what the objective of the campaign is, everything points to a reconnaissance stage that generally precedes a more disruptive malware or ransomware attack.
Microsoft recommends that organizations focus on detecting campaign behavior rather than individual indicators. Key signs include photo-themed ZIP files, unusual PowerShell activity, unexpected Node.js execution from user profile directories, PowerShell-initiated .NET compilation, and Defender exclusion changes.
Additionally, there are random executables running from temporary folders, suspicious Run and RunOnce registry entries, outgoing connections on the campaign’s non-standard ports, connections to newly registered .cfd domains, and combinations of headless browser activity followed by force shutdown commands.
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds.
