Microsoft Warns of Photo ZIP Phishing Campaign Targeting Hotels with Node.js Implant

An active phishing campaign has been targeting hotel and other hospitality organizations across Europe and Asia since April 2026, using photo-themed ZIP files to drop a Node.js implant and dig into front-desk machines, Microsoft says. The company has not attributed the activity to a known threat actor, and the operators' end goal is still unclear. The lure plays to how hotels work.

The article describes a phishing campaign against hotels and hospitality organizations in Europe and Asia that uses photo‑themed ZIP archives and booking/complaint lures, often sent via trusted services like Calendly and Google redirects, to deliver a Node.js‑based implant (TonRAT) to front‑desk Windows systems.[1][2][3][4] Microsoft reports that the attack chain involves fake image shortcut files, heavily obfuscated PowerShell, dual registry persistence, and encrypted command‑and‑control over non‑standard ports, with the operators’ ultimate objective still unclear.[2][3][4] From a CyberSE.AI perspective, although no AI components are explicitly involved, this campaign is highly relevant as a precursor threat to AI‑enabled hotel and travel agents that may be co‑located with or dependent on compromised front‑desk and reservation systems, creating a pathway for later data theft or abuse of AI‑driven workflows. Organizations should treat this as a signal to harden email and endpoint defenses around business‑process lures, and to include hospitality‑specific phishing and implant scenarios in AI security strategy, red teaming, and CISO‑level risk governance.