A multi-stage malware campaign targeting the hospitality sector, particularly hotel staff in Europe and Asia, has been active since April 2026. Attackers employ phishing techniques using fake attachments to bypass email security and install a persistent Node.js implant on victim networks. The threat actors utilize obfuscated PowerShell and dynamic .NET compilation to evade detection, sending lures in multiple languages to exploit staff familiarity with daily tasks.
Once installed, the malware modifies system defenses and maintains persistence via registry changes. It poses significant security risks, likely allowing for data theft or ransomware deployment in the future. To mitigate risks, hotels should enhance email filtering, train staff to scrutinize attachments, and monitor unusual network activity.