MICROSOFT Threat Intelligence identified a multi-stage intrusion campaign targeting the hospitality industry since April 2026. The campaign deploys photo-themed ZIP archives containing malicious LNK files that trigger a PowerShell attack leading to a Node.js implant. This campaign has used legitimate services (like Calendly) to bypass email authentication, delivering phishing emails designed to lure users into executing the payloads.
The attack evolved in two waves, with changes in naming conventions, attack chains, and obfuscation methods. Key mitigation strategies recommended to combat this threat include scrutinizing suspicious ZIP files, hardening PowerShell execution, monitoring unusual .NET compilation, and recognizing persistence mechanisms in registries. The campaign demonstrates effective evasion techniques and persistence methods, indicating a need for thorough defense mechanisms in affected sectors.