Phishers Gain Persistence at EU, Asia Hospitality Orgs
ID: 40ef5e47-64de-510d-a415-d6566d4db14d
STIX ID: report--40ef5e47-64de-510d-a415-d6566d4db14d
Feed Name: Dark Reading
Microsoft and Trend Micro observed coordinated phishing campaigns targeting hotels and hospitality providers that use photo-themed ZIP archives containing LNK shortcuts to trigger obfuscated PowerShell and deploy Node.js-based implants or the TONResolver RAT; attackers focus on establishing persistent remote access and credential theft rather than immediate ransomware payouts. Notably, the campaigns abuse trusted services for delivery and employ a TON blockchain smart contract as a dead-drop resolver for C2, making takedowns harder; the reports include IOCs and recommend blocking or restricting PowerShell/Node.js execution, filtering blockchain connectivity, and monitoring for the described behaviours.
Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.
