Security

Node.js Hospitality Phishing Campaign Hits Hotel Staff

3 min read

Summary

Microsoft Threat Intelligence has detailed an active phishing campaign targeting hospitality organizations with photo-themed ZIP files that deliver a Node.js implant for persistence. The campaign matters because it combines trusted-service abuse, PowerShell obfuscation, registry persistence, and non-standard C2 traffic to evade detection and potentially stage follow-on attacks.

Need help with Security?Talk to an Expert

Introduction

Microsoft has uncovered an active multi-stage campaign targeting hospitality and hotel organizations across Europe and Asia. For security teams, this is notable because the attacker blends phishing, trusted-service abuse, PowerShell, and a Node.js implant to gain persistent access while reducing the chance of early detection.

What’s new

The campaign uses photo-themed ZIP archives delivered through browser downloads, often linked from phishing emails. Inside the archive is a malicious LNK file disguised as an image, such as IMG-<random>.png.lnk or PHOTO-<random>.png.lnk.

Key observed behaviors include:

  • Hospitality-focused lures using themes like guest complaints, room inquiries, stay reviews, and bedbug reports
  • Abuse of legitimate services including Calendly email notifications and Google URL redirects
  • Authentication laundering, where phishing messages appear more trustworthy by passing through legitimate sending infrastructure
  • Obfuscated PowerShell downloaders that launch follow-on stages
  • Node.js-based implant deployment for persistence and command-and-control
  • Dual registry persistence to maintain access after reboot
  • C2 over non-standard ports to help blend malicious traffic
  • Wave 2 enhancements, including dynamic .NET DLL compilation via csc.exe and expanded .cfd domain infrastructure behind Cloudflare

Microsoft says post-compromise activity has included beaconing, forced shutdowns, and compilation of PE payloads. While the final objective is still unclear, the level of persistence and obfuscation suggests preparation for additional malicious activity.

Impact on IT administrators

This campaign is especially relevant for organizations with front desk, reservations, and reception staff who regularly open files related to guests and bookings. Because the phishing emails use familiar business themes and trusted platforms, standard user awareness and email authentication checks may not be enough on their own.

Security teams should also note the cross-platform tooling involved. A Node.js implant can be less common in enterprise malware investigations, so defenders may need to expand detection logic beyond typical PE-only assumptions.

IT and security teams should consider the following actions:

  • Block or closely monitor LNK files downloaded from browsers and email-linked archives
  • Hunt for suspicious execution of PowerShell, csc.exe, and unexpected Node.js activity on user endpoints
  • Review detections for registry-based persistence and outbound traffic on non-standard ports
  • Tighten controls around phishing redirects and inspect links delivered through legitimate third-party services
  • Prioritize awareness training for hospitality-facing staff on image-themed ZIP attachments and complaint-based lures
  • Use Microsoft Defender threat intelligence, detections, and investigation guidance from the original research to validate current protections

For defenders in hospitality, this is a strong reminder that socially engineered file execution remains effective when paired with evasive post-exploitation techniques.

Need help with Security?

Our experts can help you implement and optimize your Microsoft solutions.

Talk to an Expert

Stay updated on Microsoft technologies

Read the original article by Microsoft Defender Security Research Team
SecurityphishingNode.js malwarehospitalityMicrosoft Defender

Related Posts

Security

Malicious Chromium Extension Hijacks Search via AI Branding

Microsoft Threat Intelligence uncovered a malicious Chromium extension that spoofed Perplexity AI branding to intercept browser searches and search suggestions through attacker-controlled infrastructure. The finding matters because it shows how threat actors are using trusted AI brands and browser extension permissions to capture user input, redirect traffic, and increase privacy and security risk in enterprise environments.

Security

Microsoft Intune Named a Leader in Forrester Wave

Microsoft says it has been named a Leader in The Forrester Wave for Endpoint Management Platforms, Q2 2026, highlighting Intune’s integrated approach to endpoint management, security, identity, and AI governance. The announcement matters for IT teams because Microsoft is expanding bundled Intune capabilities, adding Linux support, and positioning Intune as a central policy layer for managing both devices and AI agents.

Security

Microsoft CNAPP Evolution: Unified Cloud Risk Focus

Microsoft says the CNAPP market is moving beyond basic visibility and compliance toward unified, context-aware cloud risk operations. The update highlights how Microsoft Defender for Cloud correlates posture, identity, data, and runtime signals to help security teams prioritize exploitable risks across multicloud and AI-driven environments.

Security

StealC and Amadey Threats: Microsoft Disrupts C2

Microsoft detailed how the StealC infostealer and Amadey malware loader fuel credential theft, account takeover, and downstream ransomware attacks. The company also announced a coordinated disruption with Europol and partners to take down more than 200 related command-and-control domains and IPs, giving defenders new insight into how these threats operate and how to respond.

Security

AI Memory Security in Microsoft 365 Explained

Microsoft has outlined how it secures AI memory in Microsoft 365, addressing emerging risks such as memory poisoning and delayed tool execution. The update matters because persistent AI memory can improve personalization and agent performance, but it also creates new security, compliance, and audit requirements for IT and security teams.

Security

Parallel Threat Activity: Microsoft DART Findings

Microsoft Incident Response detailed a complex intrusion in which two unrelated threat actors operated simultaneously in the same environment, complicating attribution and detection. The case highlights how ransomware activity, SharePoint exploitation, trusted tool abuse, and identity compromise can overlap across hybrid estates, reinforcing the need for strong telemetry, patching, and coordinated response.