A phishing campaign specifically aimed at the hospitality sector is actively compromising hotel front-desk computers, deploying a Node.js implant dubbed "TonRAT," according to a warning from Microsoft. Since at least April 2026, attackers have been targeting hotels across Europe and Asia, the company's security researchers disclosed.
The operation leverages a social engineering lure that capitalizes on routine industry workflows. Malicious emails arrive as supposed "event photo packages," often delivered in ZIP archives and occasionally incorporating Calendly links to add a veneer of legitimacy. This mimics familiar communication for front-desk staff, who are accustomed to receiving such files for conferences or events held at their property.
By successfully compromising these specific workstations, attackers gain a foothold at the nerve center of hotel operations. These systems typically contain guest personally identifiable information (PII), reservation databases, and may be connected to payment processing interfaces, making each breach highly valuable.
A notable aspect of the campaign is the implant itself. TonRAT is built on Node.js, a common JavaScript runtime, which allows it to blend in with normal administrative processes on a compromised machine. This "living-off-the-land" technique helps the malware evade basic security whitelists and signature-based detection, increasing its dwell time on the network.
Microsoft has not attributed the activity to a known threat actor, and the ultimate goal behind the data collection remains unclear. This uncertainty, highlighted in the advisory, means defenders cannot predict the operators' tactics based on past behavior.
The campaign demonstrates how generic security training can fall short when faced with industry-specific lures. The photo-package scenario is tailored to bypass the inherent trust of daily hotel routines. Consequently, effective defense requires a tailored, sector-specific response.
Security experts recommend a defense-in-depth strategy for hospitality organizations. Immediate actions include urgently auditing front-desk and guest-facing workstations to remove non-essential software, such as Node.js, where it is not required for business functions. This is considered a critical mitigation against this type of malware. Further, email security gateways should be configured to better inspect and potentially block suspicious ZIP archives.
Training should also be adapted. Replacing generic phishing simulations with drills based on the exact "event photo package" lure can provide staff with the specific awareness needed to spot these attacks. The campaign, ongoing for months, underscores the persistent risk of credential theft and initial access operations that target specific business sectors by exploiting their unique workflows.
微軟發出警告,指一場專門針對酒店業的釣魚攻擊活動,正積極入侵酒店前台電腦,並投放一個名為「TonRAT」的Node.js植入程式。該公司的安全研究人員披露,自2026年4月起,攻擊者便鎖定歐洲及亞洲的酒店進行攻擊。
此次行動利用社交工程誘餌,瞄準業界常規的工作流程。惡意電郵偽裝成「活動相片套裝」,通常以ZIP壓縮檔形式發送,有時會加入Calendly連結以增添表面正當性。這模仿了前台職員熟悉的溝通方式,他們習慣接收此類用於其酒店舉辦的會議或活動的檔案。
透過成功入侵這些特定工作站,攻擊者便在酒店運作的神經中樞取得立足點。這些系統通常包含賓客的個人可識別信息、預訂資料庫,並可能連接至支付處理介面,使每次入侵都極具價值。
該活動一個值得注意之處在於其植入程式本身。TonRAT基於Node.js(一種常見的JavaScript執行環境)構建,使其能與受感染機器上的正常管理進程混在一起。這種「借用本土資源」的技術有助惡意軟件躲避基本的安全白名單和基於特徵的檢測,從而延長其在系統網絡中的潛伏時間。
微軟尚未將此活動歸因於任何已知的威脅行為者,且資料收集背後的最終目標仍不明朗。這種不確定性在警告中被強調,意味著防禦者無法根據過往行為預測攻擊者的戰術。
這次活動表明,通用安全培訓在面對特定行業的誘餌時可能效果不彰。「相片套裝」情境旨在繞過酒店日常工作中固有的信任感。因此,有效的防禦需要量身定制的、針對特定行業的應對措施。
安全專家建議酒店業採取縱深防禦策略。即時行動包括緊急審核前台及面向賓客的工作工作站,移除非必要的軟件,例如在業務功能無需Node.js的環境中將其移除。這被視為對抗此類惡意軟件的關鍵緩解措施。此外,應配置電子郵件安全閘道器,以便更有效地檢查並可能阻止可疑的ZIP壓縮檔。
培訓也應相應調整。用基於確切「活動相片套裝」誘餌的演習取代通用的釣魚模擬演習,可為員工提供識別此類攻擊所需的具體意識。這場持續數月的活動,凸顯了透過利用特定行業的獨特工作流程來竊取憑證和進行初始入侵的持續風險。