Photo ZIP Phishing Campaign Hits Hotels With TonRAT Node.js Implant
Microsoft reported an active phishing campaign targeting hotel and hospitality organizations across Europe and Asia, using booking-, complaint-, and photo-themed emails to pressure recipients into opening malicious ZIP archives. The messages were routed through trusted services including Calendly and Google redirects, and in later activity used Cloudflare-fronted .cfd domains to evade detection. The ZIP files contained fake PNG shortcut (.LNK) files that launched obfuscated PowerShell, then installed a Node.js-based implant Microsoft tracks as TonRAT; Microsoft said the campaign has been active since April and evolved across multiple waves while keeping the same core infrastructure and tradecraft.
On compromised systems, the attackers established persistence through HKCU\Run and HKCU\RunOnce, added Microsoft Defender process exclusions, and staged payloads in Temp and ProgramData, with some later samples dynamically compiling .NET DLLs via csc.exe and cvtres.exe. TonRAT communicated over encrypted WebSockets and used the TON blockchain API for command-and-control domain resolution, while Microsoft also observed beaconing on non-standard ports such as 56001 and 56002, browser automation, geolocation lookups through ip-api.com, and forced shutdown commands. Microsoft has not attributed the activity to a known threat actor or confirmed follow-on ransomware or data theft, but said the operator is investing in obfuscation, persistence, and delivery evasion to maintain access for later actions.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
3 events from the most recent confirmed update back to the earliest known activity.
Microsoft publishes analysis of TonRAT hospitality campaign
On June 25, 2026, Microsoft Threat Intelligence published technical details on the Photo ZIP campaign, including its delivery chain, persistence mechanisms, and post-compromise behavior. Microsoft said it had not attributed the activity to a known threat actor.
Campaign evolves from Wave 1 to Wave 2 with updated delivery tactics
Microsoft observed the intrusion set evolve from Wave 1 to Wave 2 while retaining core infrastructure and behaviors. Changes included PHOTO-prefixed LNK filenames, dynamic .NET DLL compilation via csc.exe and cvtres.exe, and phishing domains fronted by Cloudflare using .cfd domains.
Photo ZIP phishing campaign begins targeting hospitality organizations
Microsoft said an active multi-stage intrusion campaign has targeted hotel and hospitality organizations in Europe and Asia since April 2026. The campaign used phishing emails routed through Calendly and Google redirects to deliver photo-themed ZIP archives containing malicious LNK files that launched PowerShell and installed the Node.js-based TonRAT implant.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
5 references tracked. Mallory keeps watching after this page renders.
Hospitality Sector Hit by Phishing Campaign Using Fake Guest Complaint Emails
securityaffairs.com
Open sourceMicrosoft Warns of Photo ZIP Phishing Campaign Targeting Hotels with Node.js Implant
thehackernews.com
Open sourcePhoto ZIP campaign targeting hospitality industry delivers Node.js implant for persistent access | Microsoft Security Blog
microsoft.com
Open sourceBooking website Hotel Phishing Delivers TonRAT via Node.js
socprime.com
Open sourceホテル業界を標的とした不審メールの分析(パート1: キャンペーン概要編) - ITOCHU Cyber & Intelligence Inc.
blog.itochuci.co.jp
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Booking.com ClickFix Phishing Campaign Delivers NetSupport RAT and zgRAT
Attackers are impersonating **Booking.com** pages in an ongoing **ClickFix** phishing campaign targeting the hospitality sector, tricking users into opening the Windows Run dialog and pasting attacker-supplied PowerShell that installs remote-access malware. Recent waves used Booking.com-branded lures such as `secure-extranet[.]com`, redirectors including `jskeowgo[.]com`, and additional phishing subdomains aimed at hotel staff, with some activity specifically targeting Italian-speaking users. Researchers observed multiple payload paths: one chain deployed **NetSupport RAT** through a large PowerShell stage that unpacked 14 base64-encoded components and then opened the legitimate Booking.com site to preserve the pretext, while another used staged loaders, ZIP delivery, and DLL sideloading via a legitimate `psl.exe` binary to install **zgRAT** and **PureHVNC**. The malware provided full remote-control capability, including shell access, file transfer, keylogging, screen capture, and webcam or audio access, and established persistence through mechanisms such as Startup-folder shortcuts and `HKCU\Run` keys like `SystemUpdate_<VID>`. Infrastructure linked to the activity included freshly registered domains obtained in batches through Chinese and Hong Kong registrars, rotating download servers, telemetry endpoints that tracked installation progress per victim, and command-and-control systems hosted across providers in Frankfurt, Russia-linked environments, and a likely bulletproof-hosting setup tied to a newly created autonomous system. Investigators also found OPSEC clues including an exposed RDP certificate leaking the hostname `WIN-FLJTJKL01VM`, a PDB path referencing `C:\Users\Administrator\Desktop\HTCTL32\`, and malware signed with a stolen `*.dodo.com` wildcard certificate, supporting clustering of the campaign as a financially motivated cybercrime operation using commodity RAT tooling.
May 25, 2026
Phishing Campaigns Abuse Trusted Platforms and Tools to Deliver Remote Access Malware
Multiple reports describe **phishing-led malware delivery** that abuses trusted services and “living off the land” execution paths to evade controls and deploy remote access tooling. Cloudflare-tracked activity shows attackers using **Vercel-hosted** pages to lend legitimacy to malicious links and bypass email/security filtering, with lures themed around invoices, payments, shipping, and document portals; the infrastructure includes **Telegram-based filtering** and browser fingerprinting/conditional delivery to hinder researchers and sandboxes before serving payloads that install a **remote access tool (RAT)**. A separate campaign (tracked as **PHALT#BLYX**) targets hospitality staff with Booking[.]com-style reservation emails and uses a **fake browser error + fake BSOD** to coerce victims into running the **ClickFix** technique (Win+R paste/execute), launching PowerShell that pulls malicious project files and executes them via **`MSBuild.exe`** to deliver **DCRat**, consistent with **LOLBins**-based evasion; researchers noted Russian-language artifacts in the malware. Broader weekly/newsletter roundups also highlight the same risk theme—attackers increasingly blend social engineering with trusted infrastructure and tools—while mixing in unrelated items (e.g., firewall CVEs, general malware research links) that are not part of a single, specific incident narrative.
Apr 15, 2026
Phishing Campaigns Deliver Remcos RAT via Obfuscated Scripts and Trusted Services
Researchers reported multiple **Remcos RAT** campaigns using phishing emails and trusted infrastructure to infect victims while evading detection. In one intrusion chain, a ZIP attachment named `MV MERKET COOPER SPECIFICATION.zip` delivered an obfuscated JavaScript file that fetched a PowerShell loader from `almacensantangel[.]com`; the loader then reconstructed and decrypted payloads in memory, including `ALTERNATE.dll` and `Cqeqpvzeia.exe`. The malware injected into the legitimate Microsoft .NET utility `aspnet_compiler.exe`, communicated with `192[.]3[.]27[.]141:8087`, and stored captured keystrokes and other data in `C:\ProgramData\remcos\logs.dat`, leaving few disk artifacts. A separate campaign used phishing emails that linked to a fake Google Drive sharing page hosted through **Google Cloud Storage** and the trusted `googleapis.com` domain, helping the attack bypass email and web filtering. After user interaction, the infection chain used staged JavaScript redirects or downloads, followed by VBScript or PowerShell execution to retrieve the final Remcos payload, which was then injected into a legitimate Windows process through **process hollowing**, persisted via Windows Registry entries, and opened encrypted command-and-control channels. The activity underscores how attackers are combining living-off-the-land techniques, trusted cloud services, obfuscated scripting, and legitimate Windows binaries to deploy Remcos for surveillance and data theft.
Apr 25, 2026