Microsoft Warns Photo ZIP Phishing Targets Hotels

Microsoft has uncovered a phishing campaign targeting hotels with fake photo ZIP files that install persistent Node.js malware.

Microsoft is warning hotels and other hospitality businesses about a phishing campaign that uses fake photo downloads to trick employees into installing malware capable of giving attackers long-term access to their systems.

The campaign, first spotted in April 2026, has targeted organizations across Europe and Asia. Rather than relying on traditional malicious attachments, the attackers send emails that appear to relate to everyday hotel operations, including guest complaints, room inquiries and booking issues.

The emails contain links to what looks like a ZIP archive filled with guest photos. Once downloaded, however, the archive contains a Windows shortcut (.LNK) file disguised as a PNG image. Opening it silently launches a chain of PowerShell commands that installs a Node.js-based implant known as TonRAT.

Microsoft said the attackers have gone to unusual lengths to make the messages appear legitimate. In many cases, they routed phishing emails through Calendly’s notification system and Google’s URL redirection service, allowing the messages to pass common email authentication checks before directing victims to attacker-controlled websites. The company refers to the technique as “authentication laundering” because trusted online services are used to mask malicious emails.

The campaign has evolved over time. Early versions used shortcut files named IMG-XXXXXXXX.png.lnk, while more recent attacks switched to PHOTO-XXXXXXXX.png.lnk and added extra stages to the infection process. Microsoft also observed changes to the attackers’ infrastructure and the way the payload is delivered.

Once installed, TonRAT communicates with remote command-and-control servers and uses multiple persistence mechanisms, including Windows Registry Run and RunOnce keys to survive system reboots. The malware can download additional PowerShell scripts and JavaScript payloads, allowing attackers to expand their capabilities after gaining access.

Microsoft has not linked the activity to a known threat group. However, the company said the malware’s emphasis on persistence and stealth suggests the attackers may be preparing compromised systems for future activity, although their ultimate objective remains unknown.

Hotels have become attractive targets because employees regularly receive booking requests, identification documents and photos from guests. By disguising malicious files as routine customer correspondence, the attackers increase the chances that someone will open the attachment without suspecting it’s part of a phishing campaign.

Microsoft is urging organizations to be cautious of unsolicited ZIP archives and image files received through email, even when the messages appear to come from trusted services. The company also recommends monitoring for unexpected PowerShell activity, suspicious shortcut (.LNK) files and unusual Node.js processes, which could indicate that a system has been compromised.

Related articles :

• Lazarus Deploys RemotePE Malware in Cyber Attacks

• NASA Staff Tricked in Chinese Phishing Scheme

• NCA Launches Operation Atlantic Against Crypto Phishing

__Reports are sourced from official documents, law-enforcement updates, and credible investigations.

Discover additional reports, market trends, crime analysis and Harm Reduction articles on DarkDotWeb to stay informed about the latest dark web operations.__