Microsoft researchers have detailed an ongoing, targeted phishing operation that has compromised hotels and other hospitality organizations since April 2026. The campaign uses weaponized guest complaint emails to deploy the TonRAT malware, which establishes a stubborn, persistent presence on victim networks that evades standard cleanup.
The operation involves careful reconnaissance, with attackers identifying specific hotel properties before launching tailored attacks. The lure emails are designed to be especially potent within the hospitality industry, fabricating urgent and emotionally charged guest grievances. This social engineering tactic pressures staff into opening malicious attachments quickly, exploiting the sector's fundamental emphasis on responsive customer service.
Upon execution, the malicious attachments install TonRAT, a remote access Trojan. The malware's key threat, as outlined by Microsoft, is its "resilient persistence." It uses advanced techniques to embed itself deeply within a system, rendering traditional antivirus scans and simple file deletion ineffective. This allows the threat to repeatedly re-establish itself unless a thorough forensic cleanup is performed.
In response, security experts are advising a multi-layered defense for the hospitality sector. Immediate steps include configuring email filters to flag the specific characteristics of these lure messages and ensuring endpoint detection and response (EDR) tools are tuned to spot TonRAT's behavioral signatures. Crucially, they emphasize targeted staff training to recognize this tactic, verify complaints through official booking channels, and understand the risks of urgency-based manipulation. Incident response plans must also be updated to assume deep compromise, requiring forensic analysis rather than superficial remediation.
The campaign highlights a systemic challenge for the hospitality sector, where many hotels operate with lean IT and security teams. Implementing advanced monitoring and conducting deep forensic cleanup can be resource-intensive. This disparity underscores a pressing need for industry-wide intelligence sharing and standardized verification protocols to build a collective defense against such targeted campaigns.
微軟研究人員詳細闡述了一場持續進行、具針對性的網絡釣魚行動,該行動自2026年4月以來已入侵多家酒店及其他酒店業機構。此次行動利用武器化的賓客投訴電子郵件部署名為 TonRAT 的惡意軟件,在受害者網絡中建立頑固且持久的存在,並能規避標準清理程序。
此行動涉及仔細的偵察工作,攻擊者會在發動針對性攻擊前識別具體的酒店物業。誘騙郵件專門設計,旨在酒店業界產生極大效果,偽造緊急且情緒激昂的賓客投訴。這種社會工程學手法迫使員工迅速開啟惡意附件,利用該行業對迅速回應客戶服務的基本重視。
惡意附件執行後,會安裝名為 TonRAT 的遠端存取木馬程式。根據微軟的概述,該惡意軟件的主要威脅在於其「頑固的持久性」。它採用先進技術深深嵌入系統,使傳統防毒掃描及簡單檔案刪除無效。這意味著威脅會反覆重新建立,除非進行徹底的取證清理。
作為回應,安全專家建議酒店業採取多層次防禦措施。即時步驟包括配置電子郵件過濾器以標記此類誘騙郵件的特定特徵,並確保端點偵測與回應(EDR)工具已調整以識別 TonRAT 的行為特徵。專家強調,關鍵在於針對性員工培訓,以識別此手法、透過官方預訂渠道核實投訴,並理解基於緊急感的操縱手法風險。事件應對計劃亦需更新,假設系統已被深度入侵,需要進行取證分析而非表面補救。
此次行動突顯了酒店業界面臨的系統性挑戰,許多酒店的 IT 及安全團隊規模精簡。實施深度監控及進行取證清理可能耗費大量資源。這種差異突顯了業界範圍情報共享及標準化核實協議的迫切需求,以建立集體防禦應對此類針對性行動。