Photo ZIP Campaign Targets Hospitality Industry with Node.js Implant and 'Authentication Laundering'
Microsoft warns of an active campaign since April 2026 targeting hospitality organizations in Europe and Asia with photo-themed ZIP archives delivering a Node.js implant via phishing emails abusing Calendly and Google redirects.
Microsoft Threat Intelligence has identified an active multi-stage intrusion campaign targeting organizations in the hospitality and hotel industry since April 2026. The campaign, observed across multiple organizations in Europe and Asia, uses photo-themed ZIP archives delivered via phishing emails that abuse legitimate services like Calendly and Google URL redirects to bypass email authentication. The attackers employ a technique Microsoft calls 'authentication laundering,' routing phishing messages through trusted services' sending infrastructure to make malicious messages appear legitimate.
The attack chain begins with a browser-downloaded ZIP archive named photo-<random numbers>.zip. Inside, a fake image shortcut file (e.g., IMG-*.png.lnk or PHOTO-*.png.lnk) masquerades as a PNG image. When opened, it launches an obfuscated PowerShell downloader that retrieves a Node.js implant. The implant establishes persistence via dual registry entries and communicates with command-and-control (C2) servers over non-standard ports. Two waves have been observed: Wave 1 used IMG-*.png.lnk files, while Wave 2 shifted to PHOTO-*.png.lnk and added dynamic .NET DLL compilation via csc.exe.
The phishing emails use multilingual lures and subject lines related to guest complaints and room inquiries, designed to convince hospitality staff to open the malicious link. The campaign abuses Calendly's email notification infrastructure and Google's URL redirect functionality to construct a multi-hop delivery chain that passes SPF, DKIM, and DMARC checks. This technique allows the attackers to bypass conventional email authentication defenses.
Microsoft has not attributed the campaign to a known threat actor. The post-compromise activities observed include C2 beaconing, forced shutdowns, and compilation of portable executable (PE) payloads. While the ultimate objective remains unclear, Microsoft assesses that the investment in obfuscation and persistence suggests the threat actor may be preparing for follow-on activities.
Microsoft recommends organizations in the hospitality sector review their email security settings, implement advanced phishing detection, and educate staff about the risks of opening unexpected attachments. Microsoft Defender provides detections for the observed artifacts and behaviors. The campaign highlights the evolving use of legitimate services for phishing delivery and the importance of layered defenses.