Microsoft Threat Intelligence has identified an active, multi-stage intrusion campaign that has targeted organizations in the hospitality and hotel industry since April 2026. Attackers delivered browser-downloaded photo-themed ZIP archives that contained executable shortcut files disguised as images. When opened, these shortcuts kicked off an obfuscated PowerShell chain that fetched a Node.js–based implant, established dual registry persistence, and initiated command-and-control (C2)