Swati KhandelwalJun 26, 2026Phishing / Malware

An active phishing campaign has been targeting hotel and other hospitality organizations across Europe and Asia since April 2026, using photo-themed ZIP files to drop a Node.js implant and dig into front-desk machines, Microsoft says.

The company has not attributed the activity to a known threat actor, and the operators' end goal is still unclear.

The lure plays to how hotels work. Phishing emails carry the display name "Booking Manager (via Calendly)" and reference guest complaints, bedbug infestations, room inquiries, health inspections, and stay reviews.

The lures came in Japanese, Danish, and Dutch, with Japanese the most common. The subject line names no recipient or property, which points to high-volume, list-driven sending rather than tailored spear phishing. The pressure is reputational: complaints, final warnings, threatened inspections.