ProBackend
trojanized exploit malicious package delivery
2 hours ago5 min read

Inside the New Wave of Hospitality-Targeted Phishing Campaigns

Recent phishing campaigns targeting the hospitality sector across Europe and Asia leverage sophisticated social engineering and persistence tactics, focusing on long-term remote access rather than immediate ransomware deployment.

Why Front-Desk Terminals Are Under Attack

Front-desk staff at hotels are paid to be helpful. When a guest emails complaining about a bedbug infestation or a broken booking link, they click. Attackers know code, but they also know human nature. They are abusing this helpfulness to establish long-term footholds on hotel reservation terminals. These aren't temporary smash-and-grab operations designed to deploy ransomware immediately. Instead, they are quiet, persistent access campaigns designed to steal credentials and move laterally throughout the corporate network.

Two separate campaigns, tracked by Microsoft and Trend Micro, targeted hospitality organizations in Europe and Asia. While a direct connection between the threat groups hasn't been confirmed, the playbook is identical. They abuse guest workflows, send malicious zip files containing shortcut (.LNK) files, and exploit legitimate infrastructure to bypass standard checks. It's a pragmatic, effective strategy that works because of who these employees are and what they are hired to do.

Under pressure to resolve customer complaints swiftly, reservation desk agents are highly susceptible to phishing attacks. The attackers don't need complex zero-day vulnerabilities when simple human courtesy provides a wide-open door. Once the endpoint is compromised, the attackers don't draw attention to themselves. They sit quietly, sniffing traffic, looking for databases, and waiting for the right moment to pivot deeper into the system.

Why Front-Desk Terminals Are Under Attack

The Mechanics of Authentication Laundering

Getting a phishing email past secure email gateways is half the battle. In the campaigns observed by Microsoft, the attackers used a technique called authentication laundering. Rather than building their own mail servers or using compromised domains that might get flagged, the threat actors routed their initial lures through trusted third-party services.

Specifically, they leveraged Calendly notification emails and Google redirect URLs. Because these messages originate from legitimate, trusted domains, they bypass conventional email authentication checks like SPF, DKIM, and DMARC. The receiving email gateway sees a legitimate notification from a trusted SaaS platform and lets it through. Inside the message is a link that redirects the unsuspecting front-desk agent to download a malicious ZIP archive. It's a clever way to turn trusted cloud tools into delivery mules.

This technique is particularly insidious because it defeats automated security tools. Traditional filters look for suspicious domains or bad reputation headers. But when the email comes directly from Calendly's own infrastructure, the filter is blind. The system marks it as clean, leaving the front-desk agent to make the final, critical decision.

The Mechanics of Authentication Laundering

Inside the LNK and Node.js Attack Chain

Once the ZIP archive is downloaded, the victim finds what looks like a series of guest photos or reservation documents inside. But they aren't images. They're actually Windows Shortcut (.LNK) files. Because Microsoft has cracked down on VBA macros in Office and restricted other traditional vectors, shortcut files have become the go-to delivery tool for malware.

Opening the LNK file launches an invisible chain of events. It triggers an obfuscated PowerShell script. This script doesn't just run a quick attack; it downloads and configures a persistent Node.js implant. Node.js is a legitimate JavaScript runtime that developers use for apps. When it runs out of user-space paths, it doesn't look like classic malware to basic antivirus tools. The attackers configure the implant to run persistently via Windows Registry entries. Every time the computer boots up, the Node.js implant starts, establishing an encrypted command-and-control (C2) channel back to the attacker.

Using Node.js is a clever choice. Since it's a legitimate tool, security software often ignores its activity. The implant sits in the background, executing scripts, monitoring typing, and maintaining a constant connection. It gives attackers an interactive shell right into the heart of the reservation desk without raising any alarms.

Blockchain Smart Contracts as Resilient Dead-Drops

The Trend Micro campaign targeting Booking.com partner hotels in Japan introduced a different, more resilient payload called TONResolver. This is a JavaScript-based remote access Trojan (RAT). What makes TONResolver highly notable is how it finds its command-and-control server. Traditional malware hardcodes C2 domains or uses dynamic DNS. These can be sinkholed or seized by law enforcement.

Instead, TONResolver uses a dead-drop resolver built on The Open Network (TON) blockchain. The malware queries a specific smart contract deployed on the TON network to retrieve the destination IP address or domain name for its C2 operations. If defenders block one of the attacker's domains, the attacker simply updates the target address within the smart contract. Every infected reservation terminal will automatically connect to the new address.

According to security analysts, this approach renders traditional takedown playbooks useless. There is no central server to seize, and no DNS domain to sinkhole. Because the TON blockchain is decentralized, the smart contract is publicly accessible and practically immutable. The attackers have found a way to make their infrastructure permanent. According to Dark Reading's reporting, this technique is moving from a novel experiment to a widely adopted evasion tactic.

How to Secure Host Reservation Terminals

Preventing these attacks requires changing how we secure the reservation desk. First, treat any photo-themed ZIP archive or shortcut file sent via email as high-risk. Front-desk computers do not need to boot LNK files from compressed archives. Front-desk workflows do not require opening zip files from random guests.

Second, lock down Node.js and PowerShell on customer-facing terminals. There's absolutely no legitimate business reason for a front-desk reservation screen to launch node.exe or execute raw PowerShell scripts. Restricting these files from running in user-space paths stops the attack chain cold.

Finally, restrict outbound network access. Most hotels do not need their reservation systems connecting to blockchain networks or TON nodes. Blocking outbound traffic to known blockchain platforms and smart contract endpoints sever the dead-drop resolver mechanism entirely. Security isn't about buying new products; it's about restricting endpoints to only the behaviors they need to perform their jobs.

More blogs