- Microsoft Threat Intelligence Warns of Phishing Campaign Targeting Hotel Staff in Europe and Asia Using Guest Complaint-Themed Emails
- Attackers abuse services like Calendly and Google redirects to bypass authentication checks and deliver photo-themed ZIP files that install a persistent Node.js implant
- Malware disables Defender, runs C2 beaconing, collects system information and forces shutdowns; signs include unusual PowerShell activity, Node.js execution, and suspicious registry entries
Hackers are establishing a foothold in hotels and hospitality organizations across Europe and Asia, but no one really knows for what, at least not yet.
This is according to Microsoft Threat Intelligence, which recently published a new report saying that since April it has tracked an active phishing campaign. In this campaign, the unnamed attackers target front desk, front desk, and reservation staff with emails about guest complaints, room conditions, bed bug infestations, booking inquiries, and the like.
The messages sent in different languages (Danish, Dutch, Japanese) are not distributed directly. Instead, the crooks abuse legitimate services such as Calendly and Google’s redirect infrastructure, which help them pass SPF, DKIM, and DMARC authentication checks.
Tricking Defender
This “authentication laundering,” as Microsoft puts it, results in photo-themed ZIP archives coming directly to their victims. The archives contain fake image shortcut (.LNK) files that at first appear to be harmless .PNG images. However, these files launch a sophisticated multi-stage infection chain that installs a persistent Node.js-based implant.
After being deployed, the malware adjusts Microsoft Defender to exclude itself (and other randomly named executables) from scanned processes, downloads additional payloads, and copies itself to various locations.
On compromised systems, Microsoft observed that the malware ran command-and-control beaconing, collected environmental information such as the victim’s public IP details, launched headless browser sessions and, in some cases, forced immediate system shutdowns. While it couldn’t say what the goal of the campaign is, it all points to a reconnaissance stage that usually comes before a more disruptive malware or ransomware attack.
Microsoft recommends that organizations focus on discovering campaign behavior rather than individual indicators. Key signs include photo-themed ZIP archives, unusual PowerShell activity, unexpected Node.js execution from user profile libraries, .NET compilation initiated by PowerShell, and Defender exclusion changes.
Additionally, there are random executables running from temporary directories, suspicious Run and RunOnce registry entries, outgoing connections on the campaign’s non-default ports, connections to newly registered .cfd domains, and combinations of headless browsing activity followed by forced shutdown commands.
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds.
