Hotel and hospitality photo-ZIP phishing campaign
Campaign
Summary
Hide ▲
Show ▼
An active phishing campaign is targeting hotel and hospitality organizations across Europe and Asia, increasing the risk of front-desk machine compromise and durable access. The operation has run since April 2026 and uses photo-themed ZIP files to deliver a Node.js implant. The lure chain leans on Calendly and Google redirect infrastructure, and there is no confirmed data theft or ransomware tied to the activity.
Related Happenings
TonRAT Node.js implant with TON blockchain C2
Malware Activity
H score24
First: 26.06.2026 12:27
Last: 26.06.2026 12:27
Sources 1
How related:
The implant is tracked as TonRAT. It resolves its C2 domains through the TON blockchain API, then opens an encrypted WebSocket channel, per SOC Prime.
About this happening:
**TonRAT** is using a **Node.js implant** to hide command-and-control lookups behind the **TON blockchain API**, increasing the chance that blocking and detection will fail. The a...
TonRAT Node.js implant with TON blockchain C2
Malware ActivityHow related: The implant is tracked as TonRAT. It resolves its C2 domains through the TON blockchain API, then opens an encrypted WebSocket channel, per SOC Prime.
About this happening: **TonRAT** is using a **Node.js implant** to hide command-and-control lookups behind the **TON blockchain API**, increasing the chance that blocking and detection will fail. The a...
Google DoubleClick malspam campaign delivering DesckVB RAT
Campaign
H score33
First: 03.06.2026 19:29
Last: 03.06.2026 19:29
Sources 1
About this happening:
A **new malspam campaign** is abusing **Google's DoubleClick** redirect path to evade detection and deliver **DesckVB RAT**, putting users and organizations at risk of malware inf...
Google DoubleClick malspam campaign delivering DesckVB RAT
CampaignAbout this happening: A **new malspam campaign** is abusing **Google's DoubleClick** redirect path to evade detection and deliver **DesckVB RAT**, putting users and organizations at risk of malware inf...
GreyVibe custom malware activity with LegionRelay, PhantomRelay, and FallSpy
Malware Activity
H score41
First: 29.05.2026 01:24
Last: 29.05.2026 01:24
Sources 1
About this happening:
**GREYVIBE** is a **Russian-speaking** malware activity targeting **Ukraine and Ukraine-related entities** since at least **August 2025**. The group uses **spear-phishing e-mails*...
GreyVibe custom malware activity with LegionRelay, PhantomRelay, and FallSpy
Malware ActivityAbout this happening: **GREYVIBE** is a **Russian-speaking** malware activity targeting **Ukraine and Ukraine-related entities** since at least **August 2025**. The group uses **spear-phishing e-mails*...
Ghostwriter Prometheus-themed phishing campaign targeting Ukraine government organizations
Campaign
H score33
First: 22.05.2026 19:20
Last: 22.05.2026 19:20
Sources 1
About this happening:
A **Ghostwriter** phishing campaign is targeting **Ukraine government organizations** with **Prometheus-themed lures**, increasing the risk of credential theft and follow-on acces...
Ghostwriter Prometheus-themed phishing campaign targeting Ukraine government organizations
CampaignAbout this happening: A **Ghostwriter** phishing campaign is targeting **Ukraine government organizations** with **Prometheus-themed lures**, increasing the risk of credential theft and follow-on acces...
Venom Stealer MaaS continuous credential theft and exfiltration
Malware Activity
H score29
First: 01.04.2026 16:30
Last: 01.04.2026 16:30
Sources 1
About this happening:
The **Venom Stealer** **malware-as-a-service** platform has been identified as a **credential-theft** threat that keeps exfiltrating data after infection, extending the window for...
Venom Stealer MaaS continuous credential theft and exfiltration
Malware ActivityAbout this happening: The **Venom Stealer** **malware-as-a-service** platform has been identified as a **credential-theft** threat that keeps exfiltrating data after infection, extending the window for...
Timeline
-
26.06.2026 12:27 2 articles · 2h ago
Photo-themed ZIP phishing targets hotel and hospitality organizations
Initial DisclosureAn active phishing campaign targets hotel and hospitality organizations across Europe and Asia with photo-themed ZIP files that deliver a Node.js implant through a LNK-to-PowerShell chain. The activity is not attributed to a known threat actor, and no confirmed data theft, ransomware, or named victims are identified.
Show sources
- Microsoft Warns of Photo ZIP Phishing Campaign Targeting Hotels with Node.js Implant — thehackernews.com — 26.06.2026 12:27
- Microsoft Warns of Photo ZIP Phishing Campaign Targeting Hotels with Node.js Implant — thehackernews.com — 26.06.2026 12:27