Microsoft: "Photo ZIP" phishing laundered through Calendly drops Node.js TonRAT against European hospitality front desks

Microsoft Threat Intelligence documented an active, since-April-2026 campaign against hospitality front-desk systems across Europe and Asia (Microsoft Threat Intelligence, 2026-06-25). The operators use authentication laundering — routing phishing mail through Calendly's SendGrid notification infrastructure and Google/share.google redirects so it passes SPF/DKIM/DMARC — before serving photo-<random>.zip archives whose IMG-<random>.png.lnk shortcuts masquerade as images. Execution runs multi-stage obfuscated PowerShell (BigInt arithmetic decoders that harden wave-over-wave), compiles a .NET DLL on the fly via csc.exe/cvtres.exe (T1027.004), then fetches a Node.js v24.13.0 runtime that executes the TonRAT implant. Persistence is the standout: dual HKCU\Run (Node component) plus HKCU\RunOnce (PE payload in C:\ProgramData\<random>\) keys, with the payload re-writing its RunOnce entry after every execution so removing only one key lets the other re-install on next logon. The loader also adds Add-MpPreference -ExclusionProcess Defender exclusions for its temp paths. Lures appear in Dutch, Danish and Japanese. Why it matters to us: Swiss and EU hotels/event venues running Windows front-desk systems are in scope. Hunt for node.exe spawned from %LOCALAPPDATA% running random-named .js files, csc.exe+cvtres.exe sequences outside CI, and new Defender process-exclusions on temp paths — and remember cleanup must remove both the Run and RunOnce keys in the same pass.