logo

Photo ZIP campaign targeting hospitality industry delivers Node.js implant for persistent access

ID: 958f1a32-ba3b-5bdf-acad-4af906d050f8

STIX ID: report--958f1a32-ba3b-5bdf-acad-4af906d050f8

Feed Name: Microsoft Security

Threat Score
75/100

Date Published: 2026-06-25

Date Updated: 2026-06-26

Author: Microsoft Defender Security Research Team

...
...

Microsoft Threat Intelligence describes an active, multi-stage intrusion campaign (since April 2026) against hospitality organizations that delivers photo-themed ZIP archives containing fake image LNK files; execution triggers heavily obfuscated PowerShell BigInt decoders that fetch scripts, optionally compile small .NET DLLs, and deploy a Node.js implant (TonRAT) which achieves dual persistence via HKCU\Run (Node.js) and HKCU\RunOnce (ProgramData PE). The actor abuses legitimate services (Calendly + Google redirects) to bypass email authentication, uses Cloudflare-fronted *.cfd* landing pages, rotates domains/IPs and non-standard C2 ports, modifies Defender exclusions, and demonstrates resilience to remediation; the report includes IOCs, MITRE ATT&CK mappings, advanced hunting queries, and mitigation guidance.

Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.