Hotel front desks handle complaints every hour. A message about bed bugs or a poor room review lands in the inbox. Staff open the attached photos. Minutes later, a machine on the network starts phoning home.
Microsoft Threat Intelligence detailed this exact pattern in a blog post published June 25, 2026. The campaign, active since April, targets hospitality workers across Europe and Asia. Japanese hotels face the heaviest volume. Attackers send emails that look like urgent guest feedback. They route the messages through trusted services to slip past filters.
The lure feels authentic. Subject lines stay generic. No specific guest name or hotel property appears. That points to bulk lists rather than handcrafted spear phishing. Yet the pressure lands hard on reception teams. Reputational risk from negative reviews or pest complaints demands fast action. Open the file. Solve the problem. That’s the bet.
Click the link. A ZIP file downloads. Inside sits a shortcut disguised as an image. Names follow patterns like IMG- followed by numbers or PHOTO- in later versions. Double-click it. The LNK launches obfuscated PowerShell. The script decodes a hidden URL using BigInt arithmetic across seven phases of increasing complexity. It pulls down a secondary script. Then it fetches a legitimate Node.js runtime version 24.13.0 directly from nodejs.org and drops it into a user-writable directory. No full system install required.
This implant carries the name TonRAT. Microsoft Defender labels related binaries as Wacatac or PureRat. The code establishes persistence through two registry keys under HKCU. One Run entry keeps the Node.js script alive. A RunOnce key in ProgramData refreshes an executable in a loop. The malware adds exclusions for temporary executables to quiet Microsoft Defender. It beacons to command servers on odd ports. Examples include 56001 through 56003, plus 8443, 8445 and others.
But there’s more. The implant resolves its control domains through the TON blockchain API. It opens encrypted WebSocket channels. Trend Micro researchers observed the same technique in late May attacks aimed at Booking.com partner properties in Japan. Their report released June 29 described TrojanSpy.JS.TONRESOLVER.A. The malware acts as a dead-drop resolver on the blockchain. It pulls updated instructions while evading traditional blocks. Japanese accommodations made up the clear majority of sightings.
Delivery methods evolved. Early waves relied on Calendly notification infrastructure. The service’s SendGrid servers pass SPF, DKIM, DMARC and CompAuth checks. Microsoft calls this authentication laundering. It exploits the trust model of email authentication. Messages then hop through share.google.com open redirects before landing on Cloudflare-hosted domains ending in .cfd. The multi-hop chain shreds URL reputation signals. Later emails arrived via Gmail threads. Attackers started with innocent booking questions, waited for replies, then inserted the malicious payload. The conversation history lent extra credibility.
Post-infection behavior raises questions. Compromised systems performed headless browser automation with flags like –headless –no-sandbox. They checked geolocation through ip-api.com. Some executed shutdown commands. The threat actor compiled portable executables on victim devices using csc.exe. Microsoft researchers noted the effort put into obfuscation and dual persistence. “The threat actor’s investment in ensuring obfuscation and persistence could indicate that they’re preparing the victim devices for more follow-on activities,” the blog stated.
What those activities might be remains unclear. No confirmed data exfiltration, ransomware or named victims appeared in public reporting. Yet the access looks durable. A single cleaned registry key leaves the other path intact. Node.js files linger in AppData\Local. The runtime runs from user space. Remediation demands hunting both persistence mechanisms plus the JavaScript payload.
The pattern isn’t isolated. The Hacker News reported on June 26 that SOC Prime and ITOCHU Cyber & Intelligence had documented similar LNK-to-PowerShell-to-Node.js chains about two weeks earlier. Those findings aligned closely with Microsoft’s observations. Booking.com-themed attacks on hotels stretch back years. Earlier Storm-1865 campaigns used ClickFix social engineering to drop credential stealers. Staff clicked fake error prompts, pasted commands, and installed malware aimed at extranet logins.
Japan stands out for a reason. The country’s hospitality sector handles massive international travel. Many smaller properties use shared inboxes for both reservations and guest complaints. Front desk computers often run older Windows setups or lack endpoint detection. User accounts literally contain the words “reception” or “frontdesk” in multiple languages. That naming convention helped researchers spot concentrated targeting.
Trend Micro highlighted blockchain hosting as a growing evasion tactic. By storing control data on TON, operators avoid single points of failure. Commands update dynamically. Defenders can’t simply block one IP or domain. The InfoSecurity Magazine coverage of the Trend Micro findings on June 30 noted that scheduling tool notifications also bypassed authentication protocols in the May wave.
Hotels face a compounding risk. Compromised Booking.com partner accounts allow attackers to alter reservations, steal guest details or redirect payments. Previous incidents showed criminals changing booking information and contacting travelers for fake “updates.” One 2026 wave linked to such hijacks exposed customer data indirectly through hotel portals. Booking.com itself stated its core systems stayed untouched. The breaches originated from partner extranet credentials.
Security teams in the sector now watch for specific signals. Look for photo-themed ZIP attachments under 2,100 bytes. Monitor PowerShell spawning from Explorer.exe with unusual command lines. Flag Node.js processes running from AppData with child processes that touch registry Run keys. Network teams should block .cfd domains and watch non-standard ports from reception workstations. Behavioral rules that catch suspicious Node.js execution provide early warning.
The campaign continues to shift. File names change. Domains rotate. Obfuscation layers deepen. Yet the core social engineering holds steady. Create urgency around guest experience. Offer photographic “proof.” Count on tired staff to click without verification. That formula worked in April. It still works in July.
Larger chains have started awareness campaigns. They train staff to verify sender domains even when the email thread looks familiar. Some properties now route all guest photo submissions through a dedicated secure portal instead of email. Others disabled automatic LNK previews and blocked ZIP extraction for external sources.
Microsoft’s disclosure adds weight. The company’s visibility across millions of endpoints let researchers map two distinct waves. The first used IMG- prefixes and simpler chains. The second introduced PHOTO- names, .NET compilation steps and heavier Cloudflare integration. Both delivered the same TonRAT family. Both aimed at the same workforce.
Industry observers see this as part of a broader financially motivated push against travel infrastructure. Access to reservation systems yields quick fraud wins. Stolen guest data sells on underground markets. Persistent implants position attackers for bigger plays if the opportunity arises. Ransomware groups have shown interest in hospitality before. The current operators may sell access or wait for the right moment.
For now the message to hotel operators is direct. Treat every guest complaint attachment as suspect. Verify links independently. Scan downloads before opening. Update detection rules to watch for the exact behaviors Microsoft outlined. The cost of one clicked photo can stretch far beyond a bad review.
And the attackers know it. They count on it. The next wave likely waits just behind the current one. With fresh domains, updated scripts and the same compelling story about bugs in room 312.


WebProNews is an iEntry Publication