← All articles

Hotel phishing campaign launders email authentication to drop a Node.js implant

Microsoft is tracking a phishing campaign hitting hotels across Europe and Asia since April, using guest-complaint and inspection-themed emails to get front-desk staff to open photo-themed ZIP files. The lures pass email authentication through what Microsoft calls authentication laundering, routing messages through Calendly's notification system and Google redirects so they appear legitimate. The ZIP hides a shortcut posing as an image that runs obfuscated PowerShell, quietly installs a legitimate Node.js runtime, and launches a JavaScript implant called TonRAT. TonRAT resolves its command servers through a blockchain API, communicates over encrypted WebSockets on unusual ports, disables Microsoft Defender for itself, and persists through the registry. The attackers' ultimate goal is still unclear.

Check
Alert front-desk staff to complaint-themed emails carrying photo ZIP files, and hunt for Node.js running from user paths, new Defender exclusions, and beacons to non-standard ports such as 8443 or 56001.
Affected
Hotels and hospitality organizations in Europe and Asia whose reception and reservations staff open image or document attachments; the campaign laundered email authentication and installs a persistent Node.js implant.
Fix
Block and alert on the campaign's domains and ports, restrict execution of shortcut files from archives, monitor for unauthorized Node.js runtimes and Defender exclusions, and remove both registry persistence keys during cleanup.