🟠 High | Source: The Hacker News
A phishing campaign active since April 2026 is targeting hotels and hospitality organisations across Europe and Asia, using ZIP files disguised as photo submissions to install a Node.js-based implant on front-desk systems. Microsoft has identified the campaign but has not linked it to a known threat group, and the attackers’ ultimate objective remains unclear. The technique exploits a common workflow in hotels — receiving guest or booking photos — making the lure particularly convincing for front-desk staff.
Security Architect’s Take: Ensure endpoint controls on hospitality-facing workstations block the execution of Node.js runtimes unless explicitly required, and enforce email attachment policies that quarantine or sandbox ZIP files before delivery. Consider reviewing whether front-desk machines have network segmentation in place to limit lateral movement if an implant gains a foothold.
Original advisory: Microsoft Warns of Photo ZIP Phishing Campaign Targeting Hotels with Node.js Implant