Microsoft has uncovered an ongoing phishing campaign targeting hotels and hospitality businesses across Europe and Asia, where attackers are impersonating guests to trick employees into installing malware that provides long-term access to compromised systems.
According to Microsoft Threat Intelligence, the campaign has been active since April 2026 and primarily targets front desk, reception, and reservation staff with convincing emails about booking inquiries, customer complaints, lost belongings, and room issues. The messages are designed to resemble legitimate guest correspondence, increasing the likelihood that employees will open the attached files.
Rather than attaching traditional malware, the attackers send links through trusted services such as Calendly and Google’s redirect infrastructure. These techniques help the emails pass common authentication checks, including SPF, DKIM, and DMARC, making them appear more legitimate to both users and email security systems.
Victims who download the attached “Photo.zip” archive are presented with what appears to be an image file. In reality, the archive contains a malicious Windows shortcut (.LNK) disguised as a photo. Opening the file launches a multi-stage infection chain that ultimately installs a persistent Node.js implant on the victim’s computer.
Microsoft said the malware is designed to establish long-term persistence while avoiding detection. Once installed, it modifies Microsoft Defender settings, downloads additional payloads, creates persistence mechanisms, and begins communicating with command-and-control servers. Researchers also observed the malware collecting system information, launching headless browser sessions, and, in some cases, forcing systems to shut down unexpectedly.
The company has not attributed the campaign to a known threat actor, and the attackers’ ultimate objective remains unclear. However, Microsoft believes the observed activity is consistent with a reconnaissance phase that could precede credential theft, ransomware deployment, or other follow-on attacks.
Researchers recommend focusing on behavioral indicators instead of relying solely on known malware signatures. Warning signs include unexpected PowerShell activity, Node.js processes running from user profile directories, suspicious changes to Microsoft Defender exclusions, executables launched from temporary folders, unusual registry modifications, and outbound connections to newly registered .cfd domains over non-standard ports.
The campaign highlights a growing trend of attackers targeting the hospitality sector through highly personalized phishing emails. Hotels routinely receive messages from prospective guests, making reservation staff particularly vulnerable to social engineering attempts disguised as routine customer communications.
Microsoft advises hospitality organizations to train employees to verify unexpected email attachments, restrict the execution of shortcut files, monitor for suspicious PowerShell and Node.js activity, and ensure endpoint detection tools are configured to identify behavioral anomalies rather than relying exclusively on file-based signatures.