Posted in

Microsoft Warns of Hotel Phishing Campaign Delivering TonRAT Malware via Fake Booking Emails

Microsoft has uncovered an ongoing phishing campaign targeting hotels and hospitality organizations across Europe and Asia. Active since April 2026, the campaign uses convincing booking-related emails to deliver a Node.js-based remote access trojan (RAT) known as TonRAT, giving attackers persistent access to compromised front-desk systems.

While Microsoft has not attributed the campaign to a specific threat group, researchers warn that the attackers are using sophisticated delivery techniques to bypass email security controls, making the operation particularly concerning for the hospitality sector.

Hospitality Industry Targeted with Booking-Themed Phishing Emails

The attackers are exploiting common hotel operations by sending phishing emails disguised as legitimate booking or customer service communications.

The emails use the display name “Booking Manager (via Calendly)” and reference topics that hotel staff regularly encounter, including:

  • Guest complaints
  • Room booking inquiries
  • Bedbug reports
  • Health inspection notices
  • Customer stay reviews
  • Final warning notifications

According to Microsoft, the phishing emails have been observed in Japanese, Danish, and Dutch, with Japanese-language lures appearing most frequently.

Researchers also noted that the messages do not reference any specific hotel or recipient, indicating a large-scale phishing campaign rather than carefully targeted spear-phishing attacks.

Attackers Abuse Trusted Services to Evade Detection

One of the campaign’s most notable techniques is its use of legitimate online services to improve email delivery.

Instead of sending phishing emails directly from attacker-controlled infrastructure, the operators route messages through Calendly’s email notification system, allowing the emails to successfully pass SPF, DKIM, and DMARC authentication checks.

Microsoft describes this tactic as authentication laundering, where attackers abuse trusted services to make malicious emails appear legitimate.

Victims who click the embedded Calendly link are redirected through several trusted services, including Google’s URL redirection infrastructure, before ultimately landing on a newly registered .cfd domain protected by Cloudflare Turnstile.

The Turnstile verification not only makes the phishing page appear more legitimate but also helps attackers hinder automated security analysis.

Fake Image Files Install TonRAT Malware

After completing the verification page, victims download a ZIP archive named in the format:

photo-<numbers>.zip

Inside the archive is what appears to be a PNG image but is actually a Windows shortcut file, such as:

  • IMG-.png.lnk
  • PHOTO-.png.lnk

Opening the shortcut silently launches PowerShell, which executes an obfuscated script.

The script uses BigInt arithmetic to decode a hidden download URL before retrieving an additional PowerShell payload into the user’s temporary directory.

Rather than relying on an existing installation, the malware downloads a legitimate Node.js v24.13.0 runtime directly from the official Node.js website and installs it locally within the user’s profile.

The attackers then execute their JavaScript-based malware without requiring administrative privileges or a system-wide Node.js installation.

TonRAT Uses the TON Blockchain for Command and Control

Microsoft tracks the JavaScript malware as TonRAT.

Instead of relying on hardcoded command-and-control (C2) domains, TonRAT retrieves its server information through the TON blockchain API, making traditional domain blocklists far less effective.

Once active, the malware establishes encrypted WebSocket connections with attacker-controlled servers using several uncommon ports, including:

  • 8443
  • 8445
  • 8453
  • 5555
  • 56001–56003

Security researchers also observed additional malicious behavior on infected systems, including:

  • Headless browser execution
  • IP geolocation checks using ip-api.com
  • Forced system shutdown commands

Although Microsoft has not confirmed ransomware deployment or data theft, the malware provides attackers with persistent remote access that could enable additional malicious activity.

Persistence Makes Cleanup More Difficult

Researchers warn that TonRAT establishes persistence through multiple Windows Registry locations.

The malware creates entries in both the RunOnce registry key and a Node.js Run key while storing its runtime and JavaScript components under the user’s AppData\Local\Nodejs directory.

Removing only one persistence mechanism may leave the malware active, allowing attackers to regain control of the compromised system.

Organizations should pay particular attention to reception, reservations, and front-office computers, which are the primary targets of this campaign.

Campaign Builds on Earlier Hotel Phishing Activity

Microsoft noted that the attack is consistent with findings previously published by SOC Prime and ITOCHU, both of which documented nearly identical phishing techniques involving malicious LNK files, PowerShell scripts, and Node.js malware.

Booking-themed phishing campaigns have become increasingly common in recent years, with previous attacks using malware families such as PureRAT to steal Booking.com credentials from hotel employees.

Final Objective Still Unknown

Although the attackers’ ultimate objective has not yet been determined, the campaign demonstrates a high level of sophistication in both delivery and persistence.

The combination of trusted email infrastructure, multiple redirection layers, Cloudflare protection, Node.js-based malware, and blockchain-powered command-and-control makes the operation significantly more advanced than traditional phishing attacks.

Hospitality organizations should strengthen email security, educate employees about booking-related phishing attempts, monitor for unauthorized PowerShell and Node.js activity, and ensure endpoint detection tools can identify unusual persistence mechanisms.

Until the attackers’ final payload or objectives become clear, organizations should treat this campaign as a serious threat capable of enabling long-term unauthorized access to critical hotel systems.

Leave a Reply

Your email address will not be published. Required fields are marked *