351/69 Monday, June 29, 2026
Security researchers have disclosed a phishing campaign targeting organizations in the hotel and hospitality sector. The attackers send fake emails disguised as customer complaints, room issue reports, or stay-related warnings to trick front desk staff, reservation teams, or other relevant personnel into clicking links and downloading ZIP files claimed to contain images or supporting documents.
Reports indicate that the attackers abuse trusted services, such as Calendly email notifications and Google URL redirection functions, to make the phishing emails appear more credible and pass SPF, DKIM, and DMARC checks. When victims open shortcut files disguised as images, such as IMG- or PHOTO-, the files execute obfuscated PowerShell commands to download additional scripts, leading to the installation of an implant tracked as TonRAT, which runs through Node.js on the user’s machine.
The malware is designed to maintain persistence in the system through multiple registry entries and communicate with command-and-control servers over non-standard ports. It also shows behavior associated with downloading additional payloads and evading detection at certain stages. Although the attackers’ final objective has not yet been confirmed, the implant’s persistence and access-maintenance behavior indicate a risk of follow-on attacks. Organizations in the hotel and hospitality sector should warn employees to be cautious of complaint emails or image files from unfamiliar sources, inspect .lnk files contained in ZIP archives, and monitor for abnormal PowerShell execution, Node.js activity in user paths, and suspicious registry persistence.