Microsoft Warns of Photo ZIP Phishing Campaign Targeting Hotels with Node.js Implant

Microsoft reported an active phishing campaign targeting hospitality organizations in Europe and Asia since April 2026, employing photo-themed ZIP files to deploy a Node.js implant on front-desk systems. The campaign, which Microsoft has not attributed to a specific known threat actor, aims to compromise hotel operations. The attackers leverage the lure of photo-related content, exploiting common workflows within the hospitality industry. The ultimate objective of the operators remains undetermined, with Microsoft continuing to monitor the evolving tactics, techniques, and procedures. The observed implant is designed to establish persistence and potentially exfiltrate sensitive data from compromised hotel networks. This campaign highlights the persistent threat of sophisticated phishing attacks tailored to specific industry vulnerabilities.