• Hackers are establishing persistence in hospitality and hotels by

    From TechnologyDaily@1337:1/100 to All on Friday, June 26, 2026 15:15:29
    Hackers are establishing persistence in hospitality and hotels by posing as guests with poisoned ZIP archives, but no one knows what their plan is

    Date:
    Fri, 26 Jun 2026 14:05:00 +0000

    Description:
    It looks like reconnaissance activity, possibly in preparation of a more destructive attack.

    FULL STORY ======================================================================Copy link Facebook X Whatsapp Reddit Pinterest Flipboard Threads Email Share this article 0 Join the conversation Follow us Add us as a preferred source on Google Newsletter Subscribe to our newsletter Microsoft Threat Intelligence warns of a phishing campaign targeting hotel staff in Europe and Asia with guest complaintthemed emails Attackers abuse services like Calendly and
    Google redirects to bypass authentication checks, delivering photothemed ZIPs that install a persistent Node.js implant Malware disables Defender, runs C2 beaconing, gathers system info, and forces shutdowns; signs include unusual PowerShell activity, Node.js execution, and suspicious registry entries Hackers are establishing a foothold on hotels and hospitality organizations across Europe and Asia, but no one really knows what for, at least not yet.

    This is according to Microsoft Threat Intelligence, who recently published a new report saying that since April, its been tracking an active phishing campaign. In this campaign, the unnamed attackers target front desk, reception, and reservations staff with emails about guest complaints, room conditions, bedbug infestations, booking inquiries, and similar. The
    messages, sent in different languages (Danish, Dutch, Japanese), are not distributed directly. Instead, the crooks abuse legitimate services such as Calendly, and Google s redirect infrastructure, which helps them pass SPF, DKIM, and DMARC authentication checks. Latest Videos From Watch full video here: Tricking Defender This authentication laundering, as Microsoft puts it, results in photo-themed ZIP archives making their way directly to their victims. The archives contain a fake image shortcut (.LNK) files that, at a glance, appear to be harmless .PNG images. However, these files launch a sophisticated multi-stage infection chain that installs a persistent Node.js-based implant.

    After being deployed, the malware tweaks Microsoft Defender to exclude itself (and other, randomly named executables) from scanned processes, downloads additional payloads, and copies itself into different places. You may like Hackers are launching more phishing scams and attacks at holidaymakers than ever before Experts warn of 'highly sophisticated' weaponized JPEG campaign used to send out ScreenConnect malware Spotting the spyware: How modern spies are weaponizing phishing

    On compromised systems, Microsoft observed the malware running command-and-control beaconing, gathering environmental information such as
    the victim's public IP details, launching headless browser sessions, and in some cases forcing immediate system shutdowns. While it could not say what
    the goal of the campaign is, it all points to a reconnaissance stage that usually comes before a more disruptive malware or ransomware attack.

    Microsoft recommends organizations focus on detecting the campaign's behavior rather than individual indicators. Key signs include photo-themed ZIP archives, unusual PowerShell activity, unexpected Node.js execution from user profile directories, .NET compilation initiated by PowerShell, and Defender exclusion changes. Are you a pro? Subscribe to our newsletter Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed! Contact me with news and offers from other Future brands Receive email from us on behalf of our trusted partners
    or sponsors By submitting your information you agree to the Terms &
    Conditions and Privacy Policy and are aged 16 or over.

    Furthermore, there are random executables running from temporary folders, suspicious Run and RunOnce registry entries, outbound connections on the campaign's non-standard ports, connections to newly registered .cfd domains, and combinations of headless browser activity followed by forced shutdown commands. The best antivirus for all budgets Our top picks, based on real-world testing and comparisons

    Read our full guide to the best antivirus 1. Best overall: Bitdefender Total Security 2. Best for families: Norton 360 with LifeLock 3. Best for mobile: McAfee Mobile Security Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds.



    ======================================================================
    Link to news story: https://www.techradar.com/pro/security/hackers-are-establishing-persistence-in -hospitality-and-hotels-by-posing-as-guests-with-poisoned-zip-archives-but-no- one-knows-what-their-plan-is


    --- Mystic BBS v1.12 A49 (Linux/64)
    * Origin: tqwNet Technology News (1337:1/100)