logo

Phishers Gain Persistence at EU, Asia Hospitality Orgs

ID: 40ef5e47-64de-510d-a415-d6566d4db14d

STIX ID: report--40ef5e47-64de-510d-a415-d6566d4db14d

Feed Name: Dark Reading

Threat Score
75/100

Date Published: 2026-06-30

Date Updated: 2026-07-02

Author: Elizabeth Montalbano

...
...

Microsoft and Trend Micro observed coordinated phishing campaigns targeting hotels and hospitality providers that use photo-themed ZIP archives containing LNK shortcuts to trigger obfuscated PowerShell and deploy Node.js-based implants or the TONResolver RAT; attackers focus on establishing persistent remote access and credential theft rather than immediate ransomware payouts. Notably, the campaigns abuse trusted services for delivery and employ a TON blockchain smart contract as a dead-drop resolver for C2, making takedowns harder; the reports include IOCs and recommend blocking or restricting PowerShell/Node.js execution, filtering blockchain connectivity, and monitoring for the described behaviours.

Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.