Photo ZIP campaign targeting hospitality industry delivers Node.js implant for persistent access
Since April 2026, a sophisticated multi-stage intrusion campaign has targeted hospitality and hotel organizations across Europe and Asia. The operation uses photo-themed ZIP archives containing malicious shortcut files disguised as images. When executed, these shortcuts initiate an attack chain involving obfuscated PowerShell, Node.js-based implants, and dual registry persistence mechanisms. The threat actor exploits legitimate services like Calendly and Google redirects for phishing delivery, employing authentication laundering to bypass email security controls. The campaign evolved through two waves, introducing .NET DLL compilation, Cloudflare-fronted infrastructure, and refined obfuscation techniques. Post-compromise activities include command-and-control beaconing over non-standard ports, forced shutdowns, and portable executable compilation, suggesting preparation for additional malicious operations.
AI Analysis
Technical Summary
This threat involves a sophisticated intrusion campaign targeting hospitality industry entities across Europe and Asia since April 2026. Attackers deliver malicious shortcut files inside photo-themed ZIP archives that, when executed, trigger obfuscated PowerShell scripts to install Node.js implants. Persistence is maintained via dual registry mechanisms. The campaign uses phishing delivery through legitimate services such as Calendly and Google redirects, employing authentication laundering to bypass email defenses. The operation has progressed through two waves, incorporating .NET DLL compilation and Cloudflare-fronted infrastructure to enhance obfuscation and resilience. Post-compromise behavior includes command-and-control communications over non-standard ports, forced system shutdowns, and compiling portable executables, suggesting preparation for additional malicious operations.
Potential Impact
The campaign enables persistent unauthorized access to targeted hospitality organizations by deploying Node.js implants with registry persistence. It bypasses email security controls through authentication laundering and uses legitimate services for phishing delivery, increasing the likelihood of successful compromise. Post-compromise activities may disrupt operations via forced shutdowns and facilitate further malicious actions through additional payload compilation and command-and-control communications.
Mitigation Recommendations
No official patch or fix is available for this campaign as it involves social engineering and malware delivery rather than a software vulnerability. Organizations should focus on user awareness training to recognize phishing attempts, especially those leveraging legitimate services like Calendly and Google redirects. Email security solutions should be tuned to detect and block authentication laundering techniques. Monitoring for unusual registry persistence and Node.js implant activity can aid in detection. Since this is a malware campaign, endpoint detection and response (EDR) tools should be employed to identify and remediate infections.
Indicators of Compromise
- ip: 178.16.54.27
- domain: zloapobikahy23.bond
- domain: prejointl.info
- domain: recallnine.info
- domain: visaphoto-secure.info
- domain: ministrew.info
- domain: heliosup.info
- domain: docshub-secure.com
- domain: visaimage-storage.icu
- domain: safephoto-vault.info
- domain: keypmenu.info
- domain: kellystreets.info
- domain: image-vlt.info
- domain: visaphoto-vault.info
- domain: safe-picvault.info
- domain: safedoc-storage.info
- domain: photobook-reserv.pro
- domain: imagestore-hub.info
- domain: photo-box.info
- domain: photo-hub-io.info
- domain: sec-safe-dc.info
- domain: hakeiwjs727wj.com
- domain: photo-dekor.xyz
- domain: photobookadm.pro
- domain: haobbao.com
- domain: recstrace.info
- domain: vertualstreak.info
- domain: dancamp.info
- domain: docshub-01.info
- domain: montagelips.info
- domain: safedocphoto.info
- domain: visaimages.info
- domain: photo-26254.cfd
- domain: photo-26654.cfd
- domain: photo-26656.cfd
- domain: photo-26653.cfd
- domain: photo-27857.cfd
- domain: widjssij728dj.com
- domain: reservebookphot.pro
- domain: finallyrain.info
- hash: 01eb459a28a329aaf6b5fa6fc5acdc7e
- hash: 0e5be13d3339b4b2561e5d88127e1bd3
- hash: 17082531775760189576112827972435
- hash: 25908558764390958596189327204542
- hash: ba8600d349779c4ba0ea37da2e109f11
- hash: c2d5d410a37d0c51546b1ef4962aff57
- hash: 29e3cd6c5f1d8a7ad0ce9a4bb5d6e95e6bc33010
- hash: 9db9b3e55f58553735a25db6702d272cf48495ea
- hash: b77835ab95bd5c25472fa352c5204cf15ab42d09
- hash: ff4edf35349eb7af8edc60f01eede469bee54efb
- hash: 04ec44f2618460f5c77c5e56014a512cc03a123c9c5b6b6b1273e2a1681ac2e1
- hash: 06a2888c1f07119873ccb051221bd8717281494b33585f4242556e6e5e227969
- hash: 1c693bcdaf1da636eb21c274b21cc2f6c52c62ddd514700783eee83fe13acb0a
- hash: 1f8daffec5945a13a1e9231f4a76655d4c7ef4560d0c64ca3abfe48f38297cbd
- hash: 2e5fd01b7949a45937b853eabcf4b03195614cf84338dcaaa97240d1c5301ddc
- hash: 3f66634f103b80412d1d670b91befab2a74425d2ea76d904c4a7ffae2ae94b44
- hash: 49cc0e0c3ec060fb354cacee244d4f297aaefb6db66e67a21262d6c4d2eae1bd
- hash: 63565f15a99769bbcd527a4d53e5cc259d80e1254463ef9c878c2074685558ae
- hash: 6580de3b74fd635a1d7a887b8f6e5b0c9ac9e90d6e20466ad41489203119cca9
- hash: 83e970feb3f10692c164f6889f7a026f135c2433e5bf8e662a6e63a3b81267b7
- hash: 89934cb1494cf0327f0ab82fe644c74caf687814379cad116bd7adaca74c1028
- hash: 97448688b292bfec6d83b153588076fe59b111c35ac4e42a916238df16a71e2f
- hash: 98825c0c7764f45c891275b2f038ea559e84b340df30b41c2cc77b8d4215c6c8
- hash: 9f10e3b6e5745784f26d18c38ce01fba054b19749c17260978ac11472564aee2
- hash: b7f46b192cd83a1d2487cb048cca645f6e8855b9673d500d50bbdb04eebc6bea
- hash: bd6805782df15e53581096b99bd6bbb81f4d4a5e2d2b30954df63175a4075be9
- hash: c5baa0c16b0074a1e94b48aa0177e9bfc23746aca8a5b42848a6685da85658b5
- hash: da4b72764ae929050353f3da759c839e2a061a8b9a8dd3c3b2e909d4a8a3291c
- hash: f629311734b7c6e6579f8e1d0e1e3f3bf72c9ac6c301b631ba4df7f393c41b14
- ip: 178.16.55.179
- ip: 193.202.84.32
- domain: aluminiostramuntana.com
- domain: bookreservphoto.pro
- domain: dashgamein.info
- domain: deeprace.info
- domain: derbyoni.info
- domain: doc-imagehub.info
- domain: docstore-safe.info
- domain: expedla-getphoto.cloud
- domain: fairyspells.info
- domain: ginrinsou.com
- domain: higoksbupwou.com
- domain: imagevault-safe.info
- domain: joincroud.info
- domain: kelopins.info
- domain: kentjerk.info
- domain: kinghoruswe.info
- domain: kiptownim.info
- domain: lestresot.info
- domain: lookinlip.info
- domain: photo-132454.cfd
- domain: photo-21473.xyz
- domain: photo-7216102.click
- domain: photo-7216302.sbs
- domain: photo-8632454.cfd
- domain: photodoc-secure.info
- domain: photosafe-hub.info
- domain: racestrech.info
- domain: recepyman.info
- domain: safedoc-vault.info
- domain: safevault-hub.info
- domain: secure-imagehub.info
- domain: snapkeep.info
- domain: tripadvisor-photo-view.com
- domain: visa-safedocs.info
- domain: visa-vault.info
Photo ZIP campaign targeting hospitality industry delivers Node.js implant for persistent access
Description
Since April 2026, a sophisticated multi-stage intrusion campaign has targeted hospitality and hotel organizations across Europe and Asia. The operation uses photo-themed ZIP archives containing malicious shortcut files disguised as images. When executed, these shortcuts initiate an attack chain involving obfuscated PowerShell, Node.js-based implants, and dual registry persistence mechanisms. The threat actor exploits legitimate services like Calendly and Google redirects for phishing delivery, employing authentication laundering to bypass email security controls. The campaign evolved through two waves, introducing .NET DLL compilation, Cloudflare-fronted infrastructure, and refined obfuscation techniques. Post-compromise activities include command-and-control beaconing over non-standard ports, forced shutdowns, and portable executable compilation, suggesting preparation for additional malicious operations.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This threat involves a sophisticated intrusion campaign targeting hospitality industry entities across Europe and Asia since April 2026. Attackers deliver malicious shortcut files inside photo-themed ZIP archives that, when executed, trigger obfuscated PowerShell scripts to install Node.js implants. Persistence is maintained via dual registry mechanisms. The campaign uses phishing delivery through legitimate services such as Calendly and Google redirects, employing authentication laundering to bypass email defenses. The operation has progressed through two waves, incorporating .NET DLL compilation and Cloudflare-fronted infrastructure to enhance obfuscation and resilience. Post-compromise behavior includes command-and-control communications over non-standard ports, forced system shutdowns, and compiling portable executables, suggesting preparation for additional malicious operations.
Potential Impact
The campaign enables persistent unauthorized access to targeted hospitality organizations by deploying Node.js implants with registry persistence. It bypasses email security controls through authentication laundering and uses legitimate services for phishing delivery, increasing the likelihood of successful compromise. Post-compromise activities may disrupt operations via forced shutdowns and facilitate further malicious actions through additional payload compilation and command-and-control communications.
Mitigation Recommendations
No official patch or fix is available for this campaign as it involves social engineering and malware delivery rather than a software vulnerability. Organizations should focus on user awareness training to recognize phishing attempts, especially those leveraging legitimate services like Calendly and Google redirects. Email security solutions should be tuned to detect and block authentication laundering techniques. Monitoring for unusual registry persistence and Node.js implant activity can aid in detection. Since this is a malware campaign, endpoint detection and response (EDR) tools should be employed to identify and remediate infections.
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://www.microsoft.com/en-us/security/blog/2026/06/25/photo-zip-campaign-targeting-hospitality-industry-delivers-node-js-implant-persistent-access/"]
- Adversary
- null
- Pulse Id
- 6a3df8979895cc716bfbf931
- Threat Score
- null
Indicators of Compromise
Ip
| Value | Description | Copy |
|---|---|---|
ip178.16.54.27 | — | |
ip178.16.55.179 | — | |
ip193.202.84.32 | — |
Domain
| Value | Description | Copy |
|---|---|---|
domainzloapobikahy23.bond | — | |
domainprejointl.info | — | |
domainrecallnine.info | — | |
domainvisaphoto-secure.info | — | |
domainministrew.info | — | |
domainheliosup.info | — | |
domaindocshub-secure.com | — | |
domainvisaimage-storage.icu | — | |
domainsafephoto-vault.info | — | |
domainkeypmenu.info | — | |
domainkellystreets.info | — | |
domainimage-vlt.info | — | |
domainvisaphoto-vault.info | — | |
domainsafe-picvault.info | — | |
domainsafedoc-storage.info | — | |
domainphotobook-reserv.pro | — | |
domainimagestore-hub.info | — | |
domainphoto-box.info | — | |
domainphoto-hub-io.info | — | |
domainsec-safe-dc.info | — | |
domainhakeiwjs727wj.com | — | |
domainphoto-dekor.xyz | — | |
domainphotobookadm.pro | — | |
domainhaobbao.com | — | |
domainrecstrace.info | — | |
domainvertualstreak.info | — | |
domaindancamp.info | — | |
domaindocshub-01.info | — | |
domainmontagelips.info | — | |
domainsafedocphoto.info | — | |
domainvisaimages.info | — | |
domainphoto-26254.cfd | — | |
domainphoto-26654.cfd | — | |
domainphoto-26656.cfd | — | |
domainphoto-26653.cfd | — | |
domainphoto-27857.cfd | — | |
domainwidjssij728dj.com | — | |
domainreservebookphot.pro | — | |
domainfinallyrain.info | — | |
domainaluminiostramuntana.com | — | |
domainbookreservphoto.pro | — | |
domaindashgamein.info | — | |
domaindeeprace.info | — | |
domainderbyoni.info | — | |
domaindoc-imagehub.info | — | |
domaindocstore-safe.info | — | |
domainexpedla-getphoto.cloud | — | |
domainfairyspells.info | — | |
domainginrinsou.com | — | |
domainhigoksbupwou.com | — | |
domainimagevault-safe.info | — | |
domainjoincroud.info | — | |
domainkelopins.info | — | |
domainkentjerk.info | — | |
domainkinghoruswe.info | — | |
domainkiptownim.info | — | |
domainlestresot.info | — | |
domainlookinlip.info | — | |
domainphoto-132454.cfd | — | |
domainphoto-21473.xyz | — | |
domainphoto-7216102.click | — | |
domainphoto-7216302.sbs | — | |
domainphoto-8632454.cfd | — | |
domainphotodoc-secure.info | — | |
domainphotosafe-hub.info | — | |
domainracestrech.info | — | |
domainrecepyman.info | — | |
domainsafedoc-vault.info | — | |
domainsafevault-hub.info | — | |
domainsecure-imagehub.info | — | |
domainsnapkeep.info | — | |
domaintripadvisor-photo-view.com | — | |
domainvisa-safedocs.info | — | |
domainvisa-vault.info | — |
Hash
| Value | Description | Copy |
|---|---|---|
hash01eb459a28a329aaf6b5fa6fc5acdc7e | — | |
hash0e5be13d3339b4b2561e5d88127e1bd3 | — | |
hash17082531775760189576112827972435 | — | |
hash25908558764390958596189327204542 | — | |
hashba8600d349779c4ba0ea37da2e109f11 | — | |
hashc2d5d410a37d0c51546b1ef4962aff57 | — | |
hash29e3cd6c5f1d8a7ad0ce9a4bb5d6e95e6bc33010 | — | |
hash9db9b3e55f58553735a25db6702d272cf48495ea | — | |
hashb77835ab95bd5c25472fa352c5204cf15ab42d09 | — | |
hashff4edf35349eb7af8edc60f01eede469bee54efb | — | |
hash04ec44f2618460f5c77c5e56014a512cc03a123c9c5b6b6b1273e2a1681ac2e1 | — | |
hash06a2888c1f07119873ccb051221bd8717281494b33585f4242556e6e5e227969 | — | |
hash1c693bcdaf1da636eb21c274b21cc2f6c52c62ddd514700783eee83fe13acb0a | — | |
hash1f8daffec5945a13a1e9231f4a76655d4c7ef4560d0c64ca3abfe48f38297cbd | — | |
hash2e5fd01b7949a45937b853eabcf4b03195614cf84338dcaaa97240d1c5301ddc | — | |
hash3f66634f103b80412d1d670b91befab2a74425d2ea76d904c4a7ffae2ae94b44 | — | |
hash49cc0e0c3ec060fb354cacee244d4f297aaefb6db66e67a21262d6c4d2eae1bd | — | |
hash63565f15a99769bbcd527a4d53e5cc259d80e1254463ef9c878c2074685558ae | — | |
hash6580de3b74fd635a1d7a887b8f6e5b0c9ac9e90d6e20466ad41489203119cca9 | — | |
hash83e970feb3f10692c164f6889f7a026f135c2433e5bf8e662a6e63a3b81267b7 | — | |
hash89934cb1494cf0327f0ab82fe644c74caf687814379cad116bd7adaca74c1028 | — | |
hash97448688b292bfec6d83b153588076fe59b111c35ac4e42a916238df16a71e2f | — | |
hash98825c0c7764f45c891275b2f038ea559e84b340df30b41c2cc77b8d4215c6c8 | — | |
hash9f10e3b6e5745784f26d18c38ce01fba054b19749c17260978ac11472564aee2 | — | |
hashb7f46b192cd83a1d2487cb048cca645f6e8855b9673d500d50bbdb04eebc6bea | — | |
hashbd6805782df15e53581096b99bd6bbb81f4d4a5e2d2b30954df63175a4075be9 | — | |
hashc5baa0c16b0074a1e94b48aa0177e9bfc23746aca8a5b42848a6685da85658b5 | — | |
hashda4b72764ae929050353f3da759c839e2a061a8b9a8dd3c3b2e909d4a8a3291c | — | |
hashf629311734b7c6e6579f8e1d0e1e3f3bf72c9ac6c301b631ba4df7f393c41b14 | — |
Threat ID: 6a3e3c494853345fc18a5bc8
Added to database: 06/26/2026, 08:46:01 UTC
Last enriched: 06/26/2026, 09:01:17 UTC
Last updated: 06/26/2026, 12:22:12 UTC
Views: 8
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.