Microsoft has uncovered a new phishing campaign that has been targeting hotels and other hospitality businesses across Europe and Asia since April 2026. The attackers send emails pretending to be hotel guests asking about lost belongings. These messages include what appears to be a ZIP file containing photos of the missing item, encouraging hotel staff to open the attachment. Microsoft has not linked the activity to any known threat group so far.
The attached ZIP archive contains a disguised shortcut (LNK) file instead of genuine photographs. When an employee opens the file, it silently launches a series of malicious commands without displaying any pictures. The attackers rely on curiosity and normal hotel operations to convince staff that the request is legitimate. This simple social engineering trick allows the infection to begin without raising immediate suspicion.
Once the malicious file is executed, it downloads additional payloads from attacker-controlled infrastructure. The infection chain uses several legitimate Windows tools to avoid detection before installing a custom Node.js-based malware implant. Microsoft said the attackers carefully designed the process to blend into normal system activity. This makes the campaign more difficult for traditional security tools to detect.
The Node.js implant gives attackers persistent access to infected systems even after the initial phishing email is gone. It can receive commands from remote servers, execute instructions, collect information, and download additional malicious files when needed. Using Node.js also allows the malware to run across different environments with fewer compatibility issues. This flexibility makes it an attractive choice for cybercriminals.
Microsoft observed that the attackers focused on employees working in hotel front desks, reservations, and guest service departments. These teams regularly receive emails from customers, making them more likely to trust messages about forgotten belongings. Because handling guest requests is part of their daily work, suspicious emails can easily appear genuine. This increases the chances that the attachment will be opened.
Researchers also noted that the attackers used several techniques to remain hidden after gaining access. The malware creates persistence mechanisms that allow it to survive system reboots and continue communicating with command-and-control servers. By using trusted Windows components during the infection process, the attackers reduce the likelihood of triggering security alerts. This stealth helps maintain long-term access to compromised devices.
Microsoft has advised hospitality organizations to train employees to recognize phishing attempts involving unexpected ZIP attachments and suspicious guest requests. Security teams should also monitor systems for unusual execution of shortcut files, PowerShell commands, and unexpected Node.js processes. Keeping endpoint protection updated and restricting unnecessary script execution can help reduce the risk of compromise. Organizations are also encouraged to enable advanced email filtering and detection capabilities.
The campaign highlights how attackers continue adapting phishing techniques to match specific industries and everyday business activities. Instead of using generic lures, they carefully imitate real customer interactions to increase success rates. Microsoft’s findings serve as a reminder that even routine emails can become entry points for sophisticated malware. Staying alert, verifying unexpected requests, and following strong security practices remain essential for defending against these targeted attacks.
Stay alert, and keep your security measures updated!
Source: Follow cybersecurity88 on X and LinkedIn for the latest cybersecurity news
