HOSPITALITY businesses across Europe and Asia are facing a new phishing wave that delivers a Node.js based remote access tool called TonRAT through malicious ZIP files masquerading as guest photos, as warned by Microsoft.
The campaign, active since April 2026, uses fake guest complaint emails to trick employees into opening the archive and granting attackers persistent footholds on corporate networks.
The ZIP archive contains a JavaScript loader that launches a PowerShell script to decrypt and execute the TonRAT payload, which then establishes persistence by creating a run key in the Windows registry.
Once installed the malware contacts its command‑and‑control infrastructure via the TONResolver framework, a blockchain‑based resolver that hides C2 addresses in transaction metadata.
The lure emails are crafted in several languages, with Japanese being the most common, and claim to report health complaints or reservation issues from supposed guests, as detailed by SecurityAffairs.
Attackers leverage legitimate services such as Calendly and Google to perform authentication laundering, redirecting victims through benign‑looking domains before the final download link is served.
Microsoft and Trend Micro have observed the activity in the wild, according to industry reports, noting that no specific threat actor group has been attributed to the operation so far.
The hospitality sector remains an attractive target due to its high volume of external correspondence and the frequent exchange of image files with partners and guests.
Organisations should block executable content inside ZIP attachments at the email gateway and enforce strict file‑type policies that allow only known image formats.
Enabling multi‑factor authentication on all remote access points and monitoring registry modifications for unauthorized run keys can help detect the persistence mechanism early.
Limiting PowerShell usage to approved scripts and applying application control policies reduces the chance that the malicious loader will run successfully.
Finally, regular staff training that highlights the tell‑tale signs of spoofed guest complaints and unexpected archive files remains a core line of defence.
Security teams are advised to hunt for the specific registry values associated with TonRAT and to query network logs for connections to known TONResolver domains.
Sharing indicators of compromise with industry information sharing and analysis centres can improve collective visibility, while ensuring endpoint detection and response tools are kept up to date will aid in catching any future variants.