'Photo ZIP' hospitality phishing delivering Node.js TonRAT (Calendly auth-laundering, dual Run/RunOnce persistence)

campaign · campaign:photo-zip-tonrat-hospitality

Coverage timeline

first 2026-06-27 → last 2026-06-27

Briefs

1 distinct

Sources cited

8 hosts

Sections touched

active_threats

Co-occurring entities

see Related entities below

Story timeline

2026-06-27CTI Daily Brief — 2026-06-27
active_threatsFirst coverage. Microsoft TI: authentication laundering via Calendly/SendGrid + Google redirects, .png.lnk → obfuscated PowerShell → on-the-fly csc.exe DLL → Node.js v24.13.0 TonRAT implant; dual HKCU Run/RunOnce self-refreshing persistence; targets EU/Asia hospitality front desks.

Where this entity is cited

active_threats1

Source distribution

techcrunch.com2 (22%)
microsoft.com1 (11%)
thehackernews.com1 (11%)
justice.gov1 (11%)
krebsonsecurity.com1 (11%)
malwarebytes.com1 (11%)
techradar.com1 (11%)
therecord.media1 (11%)

Related entities

European Commission refers France and Spain to the CJEU over NIS2 non-transposition
policypolicy:eu-nis2-cjeu-referral-france-spain-2026×1
Microsoft DCU disrupts Fox Tempest MSaaS — 1,000+ Artifact Signing certs revoked; SDNY court order; downstream Rhysida, INC, Qilin, Akira + Vanilla Tempest, Storm-0501 / 2561 / 0249
incidentitem:microsoft-dcu-disrupts-fox-tempest-malware-signing-as-a-servi×1
Microsoft Defender Experts — AI-chatbot search-poisoning extends SEO lure; GPU-utility lookalikes drop ScreenConnect, then process-hollowed miners (gminer/lolMiner/SRBMiner-MULTI) under signed Microsoft binary
campaignitem:microsoft-ai-chatbot-search-poisoning-cryptojacking-screenconnect-process-hollowing×1
Microsoft MDASH — multi-model agentic vulnerability-discovery harness, 16 Windows CVEs found in network-stack kernel components
toolresearch:microsoft-mdash-2026×1
Microsoft Teams external-chat phishing (APT29/Cloaked Ursa, UNC6692)
campaigncampaign:teams-external-chat-phishing×1
npm dependency-confusion campaigns targeting internal corporate namespaces (Microsoft 33 pkgs / Sonatype 176 pkgs)
campaignitem:npm-dependency-confusion-internal-namespace-campaigns-ms-sonatype×1

All cited sources (9)

Items in briefs about 'Photo ZIP' hospitality phishing delivering Node.js TonRAT (Calendly auth-laundering, dual Run/RunOnce persistence) (1)

Microsoft: "Photo ZIP" phishing laundered through Calendly drops Node.js TonRAT against European hospitality front desks

From CTI Daily Brief — 2026-06-27 · published 2026-06-27 · view item permalink →

Microsoft Threat Intelligence documented an active, since-April-2026 campaign against hospitality front-desk systems across Europe and Asia (Microsoft Threat Intelligence, 2026-06-25). The operators use authentication laundering — routing phishing mail through Calendly's SendGrid notification infrastructure and Google/share.google redirects so it passes SPF/DKIM/DMARC — before serving photo-<random>.zip archives whose IMG-<random>.png.lnk shortcuts masquerade as images. Execution runs multi-stage obfuscated PowerShell (BigInt arithmetic decoders that harden wave-over-wave), compiles a .NET DLL on the fly via csc.exe/cvtres.exe (T1027.004), then fetches a Node.js v24.13.0 runtime that executes the TonRAT implant. Persistence is the standout: dual HKCU\Run (Node component) plus HKCU\RunOnce (PE payload in C:\ProgramData\<random>\) keys, with the payload re-writing its RunOnce entry after every execution so removing only one key lets the other re-install on next logon. The loader also adds Add-MpPreference -ExclusionProcess Defender exclusions for its temp paths. Lures appear in Dutch, Danish and Japanese. Why it matters to us: Swiss and EU hotels/event venues running Windows front-desk systems are in scope. Hunt for node.exe spawned from %LOCALAPPDATA% running random-named .js files, csc.exe+cvtres.exe sequences outside CI, and new Defender process-exclusions on temp paths — and remember cleanup must remove both the Run and RunOnce keys in the same pass.