Microsoft Threat Intelligence identified a multi-stage campaign targeting hospitality and hotel organizations across Europe and Asia that uses photo-themed ZIP archives, fake image shortcut files, obfuscated PowerShell, Node.js implants, and dual registry persistence. The campaign abuses Calendly and Google redirect infrastructure for phishing delivery, evolves across two waves with added .NET compilation and Cloudflare-fronted .cfd domains, and shares indicators linked to TonRAT, Wacatac, and PureRat. #Calendly #Google #TonRAT #Wacatac #PureRat #Cloudflare
Keypoints
- Microsoft tracked an active intrusion campaign targeting hospitality and hotel organizations since April 2026.
- The initial access path uses browser-downloaded photo-themed ZIP archives containing malicious .png.lnk shortcut files.
- Phishing emails abuse Calendly notification infrastructure and Google URL redirects to pass authentication checks and obscure the final destination.
- The campaign evolved from Wave 1 to Wave 2, adding PHOTO-prefixed LNK files, .NET DLL compilation through csc.exe and cvtres.exe, and Cloudflare-fronted .cfd domains.
- PowerShell loaders use a multi-phase obfuscated BigInt decoding approach to retrieve .ps1 scripts from %TEMP%.
- The Node.js implant runs from user-space paths, adds Defender exclusions, stages payloads in ProgramData, and maintains persistence through HKCU Run and RunOnce keys.
- Observed post-compromise actions include C2 beaconing, browser automation with headless flags, ip-api.com lookups, and forced system shutdowns.
MITRE Techniques
- [T1583.001 ] Acquire Infrastructure: Domains – The actor registered and rotated short-lived landing and C2 domains, including Wave 2 .cfd sites (‘short-lived .cfd landing domains … are registered and rotated every 2–3 days’).
- [T1583.006 ] Acquire Infrastructure: Web Services – Legitimate web services were used to relay phishing through Calendly and Google redirect tokens (‘Use of Calendly account … and generated share.google redirect tokens to relay phishing’).
- [T1584.006 ] Compromise Infrastructure: Web Services – The article notes suspected use of a compromised legitimate domain as an alternate relay (‘Suspected use of a compromised legitimate domain … as an alternate sending relay’).
- [T1566.002 ] Phishing: Spearphishing Link – Victims received Calendly notification emails containing redirect links to the malicious payload (‘Calendly notification emails carrying redirect links’).
- [T1199 ] Trusted Relationship – The campaign abused trusted Calendly SendGrid infrastructure to make malicious mail appear legitimate (‘authentication laundering through Calendly’s SendGrid infrastructure’).
- [T1204.002 ] User Execution: Malicious File – Success depended on users opening fake image shortcut files that looked like PNGs (‘User opens fake image LNK’).
- [T1059.001 ] PowerShell – Obfuscated PowerShell downloaded and launched the next-stage .ps1 payload (‘obfuscated bigint decoder downloads .ps1’).
- [T1059.007 ] JavaScript – The Node.js implant executed malicious .js payloads with C2 arguments (‘Node.js implant executes .js payload with C2 domain’).
- [T1027 ] Obfuscated Files or Information – Multiple PowerShell obfuscation phases were used to evade static detection (‘Seven-phase PowerShell obfuscation evolution’).
- [T1027.004 ] Compile After Delivery – In Wave 2, PowerShell-triggered .NET compilation produced DLLs on target (‘csc.exe compiles .NET DLL on-target’).
- [T1036 ] Masquerading – LNK files were disguised as PNG images to trick users (‘LNK files disguised as .png images’).
- [T1562.001 ] Disable or Modify Tools – Defender exclusions were added for temporary executables (‘Add-MpPreference exclusions for Temp EXE files’).
- [T1547.001 ] Registry Run Keys / Startup Folder – Persistence used HKCU Run and RunOnce entries for Node.js and ProgramData payloads (‘Dual Run (Node.js) + RunOnce (ProgramData EXE)’).
- [T1016 ] System Network Configuration Discovery – The malware queried ip-api.com for external network context (‘ip-api.com geolocation lookup’).
- [T1571 ] Non-Standard Port – C2 traffic used non-standard ports such as 8443, 8445, 8453, 5555, and 56001-56003 (‘C2 on ports …’).
Indicators of Compromise
- [IP address ] C2 infrastructure and beaconing hosts – 178.16.54[.]27, 95.217.97[.]121, and other Wave 1 IPs
- [IP address ] Additional C2 and related network infrastructure – 193.202.84[.]32, 178.16.55[.]179, and 172.67.161[.]215
- [Port ] Non-standard command-and-control ports – 8443, 8445, 8453, 5555, 56001, 56002, and 56003
- [Domain ] Phishing landing pages and C2 domains – photo-26654[.]cfd, photo-132454[.]cfd, and other photo-*.cfd domains
- [Domain ] Wave 1 and shared C2 infrastructure – sec-safe-dc[.]info, safedocphoto[.]info, and recallnine[.]info
- [Domain ] Node.js and delivery-related domains – nodejs[.]org, share[.]google, and em1618.calendly[.]com
- [File hash ] Campaign payloads and components – 04ec44f2618460f5c77c5e56014a512cc03a123c9c5b6b6b1273e2a1681ac2e1, d14ba95cdce1ef7dc9ad3ac74949ca5db38b27378ee30f30a23cf26f9e875a11, and other hashes listed in the article
- [File name ] Malicious shortcut, script, and compiled artifacts – IMG-386443483.png.lnk, PHOTO-215746435.png.lnk, qFWe908J.ps1, and bjygtujc.dll
- [URL path / redirect token ] Phishing relay and redirect chain artifacts – calendly[.]com/url?q=…, share[.]google/TOKEN, and google[.]com/share_google?q=TOKEN