[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f6ceV7skut1-x_bfiuUITV3_ExyDlwaZsKZXyn5dG3AQ":3},{"article":4,"iocs":55},{"id":5,"title":6,"slug":7,"summary":8,"ai_summary":9,"brief":10,"full_text":11,"url":12,"image_url":13,"published_at":14,"ingested_at":15,"relevance_score":16,"entities":17,"category_id":32,"category":33,"article_tags":37},"29732690-f1df-4ac7-8b43-382b5af8ad59","Photo ZIP campaign targeting hospitality industry delivers Node.js implant for persistent access","photo-zip-campaign-targeting-hospitality-industry-delivers-node-js-implant-for-p-7d5c98","Microsoft Threat Intelligence identified an active multi-stage intrusion campaign targeting hospitality organizations in Europe and Asia. The campaign uses photo-themed ZIP archives and fake image shortcut files to deliver a persistent Node.js implant and evade detection. The post Photo ZIP campaign targeting hospitality industry delivers Node.js implant for persistent access appeared first on Microsoft Security Blog.","A multi-stage intrusion campaign, active since April 2026, is targeting hospitality organizations in Europe and Asia. Threat actors use photo-themed ZIP archives containing fake image shortcut files to deliver a Node.js implant, employing PowerShell, registry persistence, and C2 communications over non-standard ports. The campaign has evolved through two waves, with the second introducing dynamic .NET DLL compilation and expanded domain infrastructure.","Photo-themed ZIP archives deliver Node.js implant to hospitality industry.","Share Link copied to clipboard! TagsPhishingContent typesResearchProducts and servicesMicrosoft DefenderTopicsActionable threat insights Microsoft Threat Intelligence has identified an active multi-stage intrusion campaign targeting organizations in the hospitality and hotel industry since April 2026. We’ve observed this activity through aggregated threat intelligence and security signals across multiple organizations in Europe and Asia. Microsoft has not attributed this campaign to a known threat actor. The campaign uses photo-themed ZIP archives that the target users download through the browser. These archives contain fake image shortcut files that, when launched, start an attack chain that relies on obfuscated PowerShell, a Node.js-based implant, dual registry persistence, and command-and-control (C2) communications over non-standard ports. As of this writing, the campaign’s post-compromise activities include C2 beaconing, forced shutdowns, and compilation of portable executable (PE) payloads. While the campaign’s ultimate objective remains unclear, we assess that the threat actor’s investment in ensuring obfuscation and persistence could indicate that they’re preparing the victim devices for more follow-on activities. In late May 2026, we observed the threat actor misusing legitimate services—including the cloud-based scheduling platform Calendly’s email notification infrastructure and Google’s URL redirect functionality—to deliver phishing emails with multilingual lures and subject lines (for example, guest complaints and room inquiries) designed to convince hospitality staff to open the embedded malicious link and download the ZIP archive. These phishing emails attempt to bypass conventional authentication checks through a technique we describe as authentication laundering: by routing phishing messages through a trusted service’s sending infrastructure, the threat actor can make malicious messages appear similar to legitimate notifications to email authentication defenses. We’ve observed the campaign evolving in two distinct waves. The first wave (hereinafter referred to as Wave 1) used shortcut files named IMG-\u003Crandom numbers>.png.lnk, while the second one (Wave 2) introduced a naming shift to PHOTO-\u003Crandom numbers>.png.lnk. Wave 2 also introduced a new attack chain stage in which the PowerShell downloader triggered dynamic .NET DLL compilation through csc.exe, and the actor expanded its domain infrastructure to include .cfd domains hosted behind Cloudflare. This blog summarizes the campaign’s Wave 1 and Wave 2 attack chains and provides Microsoft Defender detections and recommendations. It’s intended to share threat intelligence to help organizations better understand, identify, and defend against similar attack techniques. The activity described reflects observed patterns and behaviors and is provided to support defensive security efforts. Attack chain overview Figure 1. Assessed attack chain for the Node.js photo ZIP\u002FLNK campaign showing both Wave 1 and Wave 2 stages. The campaign follows a multi-stage attack chain with limited variation in overall behavior, even as the actor changed its PowerShell obfuscation and delivery refinements between waves. Initial access and user execution The campaign begins with delivery of a browser-downloaded archive with a file name that uses the pattern photo-\u003Crandom numbers>.zip. In one observed activity, links to these archives were delivered through phishing emails. We assess that this file naming convention was designed to appear ordinary yet relevant to hospitality workflows, which commonly exchange guest photos, reservation-related images, or document snapshots. In Wave 1, the archive contained a fake image shortcut named IMG-\u003Crandom numbers>.png.lnk, which masqueraded as a PNG file while remaining executable content. In Wave 2, the threat actor introduced a naming shift to PHOTO-\u003Crandom numbers>.png.lnk (uppercase PHOTO prefix). Successful execution depended on a target user opening what appeared to be an image. The following table lists representative delivery artifacts observed across impacted environments in both campaign waves. The file sizes of the LNK files consistently fell within 1,989 to 2,079 bytes, suggesting the same builder tool. LNK file Source archive Wave IMG-805916584.png.lnk C:\\Users\\[REDACTED]\\Downloads\\photo-961032103.zip 1 IMG-421741673.png.lnk C:\\Users\\[REDACTED]\\Downloads\\photo-818773648.zip 1 IMG-223099041.png.lnk C:\\Users\\[REDACTED]\\Downloads\\photo-716449357.zip 1 IMG-386443483.png.lnk Browser download 1 PHOTO-215746435.png.lnk Browser download 2 Observed LNK and ZIP naming patterns across both campaigns. Observed victim device naming patterns, including reception- and front office-associated systems and hotel-named devices, confirm the threat actor’s focus on staff likely to interact with image or document attachments as part of day-to-day operations. Some of the user account names observed across impacted environments include the following strings, which refer to words in different languages such as English, French, Polish, Czech, and Spanish: reception frontdesk reservations accueil recepcja recepce frontoffice Phishing infrastructure: Authentication laundering through legitimate services Beginning late May 2026, we observed that this campaign’s initial access mechanism also abuses legitimate web services to bypass email authentication controls and obscure the true destination of phishing links. This observation aligns with the previously published findings by other security researchers. The threat actor uses Calendly’s email notification system and Google’s URL redirect functionality to construct a multi-hop delivery chain in which the direct Calendly path passes Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and Domain-based Message Authentication, Reporting, and Conformance (DMARC) checks. Figure 2. Phishing redirect flow. Lure themes and language targeting The sender display name across all observed emails is “Booking Manager (via Calendly),” a social engineering choice that appears designed to exploit hospitality staff’s familiarity with booking and scheduling workflows. Across the relayed messages, Microsoft observed the following small set of recurring social-engineering themes delivered in Japanese, Danish, and Dutch: Guest complaints Bedbug (Cimex) infestation reports Verification call notices Room condition inquiries Stay review requests These lures are deliberately generic and non-personalized: every subject references an anonymous “guest,” “facility,” or “your accommodation,” and none contains a recipient name, guest name, or organization name. This is consistent with high-volume, list-driven distribution rather than tailored spear-phishing. The threat actor relies on urgency and reputational pressure (complaints, “final warning,” health-authority inspection, possible suspension) to drive target hospitality staff to click. Language Canonical lure (theme) Japanese Serious guest complaint Japanese Bedbug complaint, verification call Japanese Guest stay review request Japanese Room condition, facility inquiry Japanese Final warning: infestation, forced inspection Danish Bedbug complaint, inspection call Danish Formal complaint, notice of suspension Danish Health-risk safety alert Dutch Complaint: possible danger, hospitalization after stay Phishing lure themes by language, listed by observed prevalence. The threat actor reuses the same themes across all three languages, with Japanese as the most prevalent. Notably, unfilled template placeholders—such as a literal ID token in the Danish variant—appeared in some subjects, indicating automated, templated generation. Use of Calendly notification infrastructure as a phishing relay The threat actor uses a threat actor-controlled Calendly account associated with the subdomain em1618.calendly.com to relay phishing emails to hospitality targets. Authentication results differ by delivery path. Authentic","https:\u002F\u002Fwww.microsoft.com\u002Fen-us\u002Fsecurity\u002Fblog\u002F2026\u002F06\u002F25\u002Fphoto-zip-campaign-targeting-hospitality-industry-delivers-node-js-implant-persistent-access\u002F","https:\u002F\u002Fwww.microsoft.com\u002Fen-us\u002Fsecurity\u002Fblog\u002Fwp-content\u002Fuploads\u002F2026\u002F03\u002FMS_Actional-Insights_Phishing-social-engineering.jpg","2026-06-25T22:30:29+00:00","2026-06-26T00:00:28.021308+00:00",8,[18,21,23,25,27,30],{"name":19,"type":20},"Node.js","product",{"name":22,"type":20},"PowerShell",{"name":24,"type":20},"csc.exe",{"name":26,"type":20},"Microsoft Defender",{"name":28,"type":29},"Cloudflare","technology",{"name":31,"type":29},"Calendly","e7b231c8-5f79-4465-8d38-1ef13aea5a14",{"id":32,"icon":34,"name":35,"slug":36},null,"Threat Intelligence","threat-intelligence",[38,43,48,53],{"category":39},{"id":40,"icon":34,"name":41,"slug":42},"26b0b636-0e31-4db1-bffb-61bdf9f20a58","Supply Chain","supply-chain",{"category":44},{"id":45,"icon":34,"name":46,"slug":47},"6cbdd207-aaa1-4176-9534-e156b125e917","Nation-state","nation-state",{"category":49},{"id":50,"icon":34,"name":51,"slug":52},"89f78b1c-3503-45a1-9fc7-e23d2ce1c6d5","Malware","malware",{"category":54},{"id":32,"icon":34,"name":35,"slug":36},[]]