Since April 2026, an active phishing campaign has been targeting hotel organizations in Europe and Asia, using archives with “photos” to deliver a JavaScript implant to reception and front-office workstations. According to Microsoft, the campaign abuses legitimate Calendly and Google infrastructure to bypass email authentication, and the operators’ ultimate goal has not yet been established — there are no confirmed cases of data theft or ransomware deployment. The lack of attribution to a known group and the unclear final stage make this threat particularly concerning for the hospitality industry.
Delivery mechanism: “authentication laundering”
The phishing emails use the display name “Booking Manager (via Calendly)” and exploit typical pain points of the hotel business: guest complaints, reports about bedbugs, booking requests, threats of health inspections, and negative reviews. Messages have been observed in Japanese, Danish, and Dutch, with Japanese predominating. The email subject line does not contain the recipient’s name or the property name, which indicates a mass mailing to lists rather than targeted spear-phishing.
The key technical feature is what Microsoft has called authentication laundering. The messages are routed through Calendly’s notification system, allowing them to pass SPF, DKIM, and DMARC checks: the emails are in fact sent from authorized infrastructure. Authentication protocols confirm that the sender is allowed to send mail, but say nothing about the intent of the message. This is a fundamental gap that the campaign operators deliberately exploit.
The victim is then led through a multi-step redirect chain: Calendly link → share.google → Google redirect → a newly registered domain in the .cfd zone, protected by Cloudflare. The landing page uses Cloudflare Turnstile, which simultaneously serves as protection against automated analysis.
Infection chain: from ZIP to Node.js implant
After passing the CAPTCHA, the victim downloads an archive named photo-<numbers>.zip. Inside is a Windows shortcut masquerading as an image: in the first wave, IMG-<numbers>.png.lnk, and in the second wave, PHOTO-<numbers>.png.lnk.
Opening the LNK file launches a PowerShell script that:
- Uses BigInt arithmetic to decode a hidden download URL
- Writes an intermediate .ps1 script to the %TEMP% directory
- Downloads the legitimate Node.js v24.13.0 runtime from nodejs.org into user space
- Runs the JavaScript implant via the downloaded runtime without needing a system-wide Node.js installation
Using a legitimate runtime is a deliberate choice: the Node.js binary is signed and does not trigger antivirus detections, while all malicious logic is concentrated in the JavaScript code.
TonRAT implant and command infrastructure
The implant, which SOC Prime tracks as TonRAT, uses an unconventional approach to resolving command server addresses: C2 domains are retrieved via the TON blockchain API, after which an encrypted communication channel is established over WebSocket. Dynamic retrieval of C2 addresses makes static blocklists largely ineffective — operators can change their command infrastructure by updating records on the blockchain.
After compromise, the implant connects to fixed IP addresses over non-standard ports: 8443, 8445, 8453, 5555 and the range 56001–56003. On some infected hosts, additional activity has been observed:
- Automation of a headless browser with the parameters
--headless --no-sandbox - Geolocation checks via ip-api.com
- Forced system shutdown with the command
cmd /c shutdown -s -t 0
Browser automation may indicate preparation for stealing booking sessions or credentials from web interfaces of hotel management systems, although Microsoft has not confirmed specific exploitation scenarios.
Context and timeline
The campaign was first documented about two weeks before Microsoft’s publication: ITOCHU and SOC Prime described a similar infection chain — from hotel-themed phishing via an LNK file to PowerShell and then to a Node.js implant. Microsoft confirmed that its findings are consistent with these reports.
Booking-themed phishing aimed at hotel staff is a persistent pattern in the threat landscape. However, this campaign stands out from typical schemes: the use of blockchain for C2 resolution, deployment of a full runtime in user space, and dual persistence mechanisms all point to a higher level of operator sophistication.
Impact assessment
Reception, booking, and front-office systems at hotel properties are at the greatest risk — these are the workstations that process incoming guest requests and are most likely to open a “photo” attached to a complaint. Compromise of such systems can potentially expose guest personal data, payment information, and hotel management system accounts.
The absence of a confirmed final attack stage does not reduce the severity of the threat — it means that the operators have either not yet activated their final payload, or their actions remain undetected. Persistent access to hotel systems can be monetized in many ways: from theft of credit card data to selling access to other groups.
Detection and remediation recommendations
To fully eliminate the threat, it is necessary to remove both persistence mechanisms — deleting only one leaves the other active:
- Delete the RunOnce registry entry pointing to the ProgramData directory
- Delete the Run registry key for Node.js
- Delete the runtime and .js files from the
AppData\Local\Nodejsdirectory - Check for outbound connections on ports 8443, 8445, 8453, 5555, 56001–56003
- Identify Node.js processes launched from user directories rather than standard installation paths
For preventive protection:
- Block execution of LNK files from ZIP archives at the security policy level
- Configure monitoring for PowerShell launches from explorer.exe processes with arguments containing BigInt operations
- Restrict outbound connections from front-office workstations to domains in the .cfd zone and to non-standard ports
- Train reception and booking staff to recognize phishing that masquerades as Calendly notifications
Priority checks should cover all reception, booking, and front-office workstations for the presence of the described artifacts — these systems are the primary targets of the campaign. Given that the emails pass standard email authentication checks, hospitality organizations should consider additional filtering rules for inbound Calendly notifications that contain links redirecting via Google to domains in the .cfd zone.
