Do Son 
At a glance
- Actor: Unknown threat actor
- Activity type: Phishing and multi-stage intrusion
- Targets: Hospitality and hotel industry (Europe and Asia)
- Scale: Unspecified number of impacted organizations
- Status: Active since April 2026
- Source: Microsoft Threat Intelligence
Summary
A multi-stage intrusion campaign targets hotel staff with fake photo attachments. Attackers bypass email defenses to deliver malicious payloads. Subsequently, they install a durable backdoor on victim networks.
What Happened
A newly discovered hospitality malware campaign targets hotels across Europe and Asia. Security researchers observed this activity starting in April 2026. Attackers send phishing emails to hospitality staff. They use fake guest complaints and room inquiries to create urgency. Ultimately, these messages aim to trick employees into downloading malicious files.
Furthermore, the attackers abuse legitimate services to hide their tracks. They route emails through Calendly and Google redirect links. Consequently, this authentication laundering bypasses standard email security checks. “The campaign uses photo-themed ZIP archives that the target users download through the browser,” the report states.
Next, victims open the fake image files. This action triggers a complex infection process. “These archives contain fake image shortcut files that, when launched, start an attack chain that relies on obfuscated PowerShell, a Node.js-based implant, dual registry persistence, and command-and-control (C2) communications over non-standard ports,” Microsoft explains.
The hospitality malware campaign evolved recently. A second wave introduced new evasion techniques. Specifically, attackers started using dynamic .NET compilation. They also hid their infrastructure behind Cloudflare. Thus, they made tracking and detection much harder for network defenders.
Who Is Behind It
Investigators do not know the exact identity of the attackers. “Microsoft has not attributed this campaign to a known threat actor,” the official advisory notes. However, the group displays a high level of technical discipline. They update their obfuscation tactics frequently to avoid detection.
For example, researchers observed seven distinct phases of PowerShell obfuscation. The attackers continually tweak their code to evade security scanners. Indeed, they rely on arithmetic operations to decode hidden payloads. This strategy shows a strong commitment to long-term operational success.
Impact and Scale
The attackers focus heavily on hotel reception and front desk staff. They send lures in multiple languages, including Japanese, Danish, and Dutch. Therefore, the threat affects international hotel chains globally. They exploit staff familiarity with daily reservation workflows. The emails feature highly generic subjects. They mention anonymous guests rather than specific names. This approach indicates high-volume distribution rather than targeted attacks.
Once installed, the Node.js implant creates severe security risks. Attackers use a dual persistence model. They add registry keys to ensure the malware survives system reboots. Even if antivirus software blocks one file, the secondary mechanism redownloads the payload.
Subsequently, the malware modifies built-in system defenses. It adds process exclusions to hide follow-on malicious files. Finally, the malware communicates with external servers over non-standard ports. It establishes a durable foothold for future exploitation. The campaign also involves forced system shutdowns. This behavior likely hides visible symptoms of the infection from users.
What Comes Next and How to Stay Protected
The ultimate goal of this hospitality malware campaign remains unknown. The heavy investment in persistence suggests attackers plan long-term network access. They might steal sensitive guest data or deploy ransomware next. The threat actors are preparing victim devices for more destructive actions.
Administrators must remove all persistence mechanisms to clean infected systems completely. They should delete the specific RunOnce registry keys and the Node.js files.
Finally, hotels should train staff to scrutinize unexpected photo attachments. Security teams must monitor network traffic for unusual ports. They should block known malicious domains immediately. Protecting the hospitality sector requires strict email filtering and continuous staff education.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
