Executive Summary
Microsoft has issued a critical warning regarding a sophisticated phishing campaign that is actively targeting the hospitality sector, specifically hotels, across Europe and Asia. This campaign leverages photo-themed ZIP archives distributed via phishing emails, which, when executed, deploy a Node.js-based implant for persistent access and further exploitation. The attack chain is notable for its abuse of legitimate services such as Calendly and Google redirects, advanced PowerShell obfuscation, and dual persistence mechanisms that complicate remediation. The campaign, observed since April 2026, demonstrates a high level of operational security and adaptability, with rapid infrastructure rotation and evolving payload delivery techniques. There is currently no public attribution to a known advanced persistent threat (APT) group, but the campaign’s sophistication and targeting suggest a well-resourced adversary. Immediate action is recommended for organizations in the hospitality sector to mitigate the risk of compromise.
Threat Actor Profile
The threat actors behind this campaign remain unattributed as of June 2026. Their operational sophistication is evidenced by the use of legitimate third-party services for initial delivery, rapid domain and infrastructure rotation, and advanced scripting techniques for payload obfuscation and persistence. The campaign’s targeting of hotels and related organizations in Europe and Asia, combined with multilingual lures and region-specific social engineering, indicates a high degree of reconnaissance and intent to maximize infection rates within the hospitality vertical. The actors demonstrate a strong understanding of Windows internals, leveraging both PowerShell and .NET for loader stages, and deploying a custom Node.js-based implant for cross-platform flexibility and stealth.
Technical Analysis of Malware/TTPs
The attack chain begins with phishing emails crafted to appear as legitimate notifications from Calendly, often referencing guest complaints, booking issues, or urgent room inquiries. These emails are sent via Calendly’s notification infrastructure and employ Google URL redirects to obfuscate the final payload delivery domain. The emails contain links to ZIP files with names such as photo-<random>.zip, which are hosted on rapidly changing, Cloudflare-protected domains themed around photos, documents, or safes.
Upon extraction, the ZIP archive contains a shortcut file (IMG-<random>.png.lnk or PHOTO-<random>.png.lnk) masquerading as an image. When executed, the LNK file launches heavily obfuscated PowerShell code. This code employs multiple layers of obfuscation, including XOR, subtraction, modulo operations, randomized variable names, and for-loops, to evade static and dynamic analysis. The initial PowerShell script decodes and downloads a secondary PowerShell payload, which in the second wave of attacks compiles a .NET DLL on the fly using csc.exe and cvtres.exe.
The next stage involves downloading and executing a Node.js runtime (node-v24.13.0-win-x64) and a malicious JavaScript payload. Notably, the implant is executed from a user-writable path (%AppData%\Local\Nodejs\), ensuring that the attack does not depend on a pre-existing system installation of Node.js. The implant establishes persistence via dual registry keys: HKCU\Run for the Node.js implant and HKCU\RunOnce for a PE payload in C:\ProgramData\<random>\<payload>.exe. The RunOnce entry is refreshed after each execution, complicating detection and removal.
For defense evasion, the implant adds Microsoft Defender exclusions for its executables in %TEMP% and %AppData%, and uses silent installer helpers (is-*.tmp with /SL5 or /VERYSILENT) to unpack or execute additional payloads. Command and control (C2) communication occurs over non-standard ports (8443, 8445, 8453, 5555, 56001, 56002, 56003) to domains with short lifespans, often protected by Cloudflare. Post-compromise activity includes C2 beaconing, browser automation with headless Chrome flags, environment lookups via ip-api[.]com, and forced system shutdowns using cmd /c shutdown -s -t 0.
Exploitation in the Wild
This campaign has been observed actively targeting hotels, front desk operations, reservations, and reception staff in Europe and Asia. The use of region-specific languages (Japanese, Danish, Dutch) and contextually relevant lures (guest complaints, bedbug reports, room inquiries) has resulted in successful initial access in multiple organizations. The attackers’ use of legitimate services for delivery and rapid infrastructure rotation has enabled them to bypass traditional email and web filtering solutions. Impacted organizations have reported persistent access, ongoing C2 beaconing, and forced shutdowns, with the potential for further payload delivery and lateral movement within compromised environments. There is no evidence of data exfiltration or ransomware deployment at this stage, but the presence of a modular Node.js implant suggests the capability for additional post-exploitation activity.
Victimology and Targeting
The primary victims of this campaign are organizations in the hospitality sector, specifically hotels and their associated front desk, reservations, and reception operations. The campaign’s geographic focus is on Europe and Asia, with observed lures tailored to local languages and cultural contexts. The attackers demonstrate a clear understanding of hotel business processes and leverage this knowledge to craft convincing phishing emails that increase the likelihood of user interaction. There is no indication that other sectors are being targeted at this time, but the techniques employed could be adapted for use against other industries with similar operational structures.
Mitigation and Countermeasures
Organizations are strongly advised to implement the following countermeasures to mitigate the risk posed by this campaign. All known indicators of compromise (IOCs), including IP addresses, domains, and file hashes, should be blocked and monitored at the network and endpoint levels. Security teams should hunt for suspicious registry keys (HKCU\Run and HKCU\RunOnce) referencing Node.js or executables in ProgramData, and investigate PowerShell activity involving BigInt arithmetic, obfuscated decoders, and subsequent downloads. Alerts should be configured for Node.js execution from %AppData%\Local\Nodejs\ with random .js files, and for the addition of Microsoft Defender exclusions for executables in %TEMP% or %AppData%.
Email security controls should be enhanced to detect and quarantine messages from Calendly subdomains or containing links to photo-<digits>.cfd and similar domains. DNS queries to recently registered .cfd domains matching the campaign pattern should be blocked. Endpoint detection and response (EDR) solutions should be tuned to identify browser automation and forced shutdown commands, as well as the use of silent installer helpers. User awareness training should be reinforced, with a focus on recognizing phishing emails that reference urgent guest complaints or booking issues, especially those containing ZIP attachments or links to external file downloads.
References
Microsoft Security Blog, June 25, 2026: https://www.microsoft.com/en-us/security/blog/2026/06/25/photo-zip-campaign-targeting-hospitality-industry-delivers-node-js-implant-persistent-access/
SOC Defenders: https://www.socdefenders.ai/item/62ae38c7-8e0c-4225-858c-4d3e1eb0be19
Reddit /r/SecOpsDaily: https://www.reddit.com/r/SecOpsDaily/comments/1ug3rbt/microsoft_warns_of_photo_zip_phishing_campaign/
About Rescana
Rescana is a leader in third-party risk management (TPRM), providing organizations with a comprehensive platform to continuously monitor, assess, and mitigate cyber risks across their extended supply chain. Our advanced threat intelligence and automation capabilities empower security teams to proactively identify and respond to emerging threats, ensuring resilience in an ever-evolving threat landscape. For more information or to discuss how Rescana can support your organization’s cybersecurity posture, please contact us at info@rescana.com.
