Skip to content
Auto-CTI
Back to all deep dives
MICROSOFT SECURITY BLOG

Photo ZIP campaign targeting hospitality industry delivers Node.js implant for persistent access

Strategic summary

The report details an active multi-stage intrusion campaign targeting the hospitality and hotel industry since April 2026. The attackers use photo-themed ZIP archives with fake image shortcuts to initiate a chain involving obfuscated PowerShell, a Node.js implant, and dual registry persistence. The campaign evolved in two waves, with the second wave adding dynamic .NET DLL compilation and new domain infrastructure. While the ultimate objective is unclear, the emphasis on obfuscation and persistence indicates preparation for further malicious activities.

Key findings

  • The campaign specifically targets the hospitality industry in Europe and Asia.
  • Attackers exploit legitimate services like Calendly and Google Redirect to bypass email authentication (authentication laundering).
  • The attack chain starts with a ZIP archive containing LNK files, leading to PowerShell execution and a Node.js implant with persistent C2 communication.
  • The second wave introduced a new stage with dynamic .NET DLL compilation via csc.exe.
  • Microsoft has not attributed this activity to a known threat actor, and the campaign may be laying groundwork for follow-on attacks.
ESC