Node.js Malware Campaign Targets Hospitality Industry with Photo Phishing

A multi-stage cyberattack campaign has been identified, targeting the hospitality sector in Europe and Asia since April 2026. The attackers utilize 'authentication laundering' techniques, exploiting legitimate services like Calendly and Google redirects to bypass email security measures. Phishing attempts often involve fake guest complaints or room inquiries, tricking staff into downloading malicious ZIP files that contain deceptive image shortcuts. These files deliver a persistent Node.js implant, allowing attackers to maintain access to compromised systems. The campaign highlights the evolving tactics of cybercriminals and their focus on specific industries. Microsoft Threat Intelligence has confirmed the ongoing nature of this threat, emphasizing the need for heightened security awareness in the hospitality sector.

Key Points: • The hospitality industry in Europe and Asia is under attack from a Node.js malware campaign. • Attackers use photo-themed phishing lures and authentication laundering to evade detection. • Malicious ZIP files containing fake image shortcuts deliver a persistent Node.js implant.