Microsoft reveals phishing campaign targeting hotels in Europe and Asia

Published: 29 June 2026
a hotel sign
Hotel sign hooked with a fishing hook. Image by Cybernews.

An unknown threat actor has launched a convincing phishing campaign aimed at tricking hotel employees into installing malware via fake photo attachments.

Key takeaways:
  • Microsoft has identified a phishing campaign targeting hotel employees across Europe and Asia.
  • Attackers send emails containing ZIP files with fake photo shortcuts that secretly install malware instead of opening images.
  • The malware provides persistent access, allowing attackers to steal credentials, move through corporate networks, and deploy additional malicious software.
  • The campaign has not been linked to a known threat actor, and Microsoft has not identified the affected hotels.
Key Takeaways by nexos.ai, reviewed by Cybernews staff.

The campaign begins with a phishing message addressed to the hotel containing a ZIP file. The subject and file names are well thought out to convince an employee to open the email and file.

ADVERTISEMENT

The sender claims to have included photos in the ZIP file. In reality, the ZIP file contains a malicious shortcut disguised as an image. The file name starts with IMG or PHOTO, followed by a random number, and ends with “.png.lnk.”

Instead of an image, this is a Windows shortcut with an icon that resembles a photo. Windows does not display file extensions by default, which can lead people to believe it’s an image.

attack_chain_overview
Attack chain overview. Image by Microsoft.

But when someone double-clicks on the file, it secretly runs commands in the background, without employees realizing what’s actually happening. Instead of opening a photo, malware is downloaded and executed, allowing the attacker to gain persistent access to the system and steal passwords and sensitive information, explore the company’s corporate network, or install additional malware later.

The malicious software is tenacious: if a user reboots his computer, it won’t be removed. Because the infected file sends a legitimate copy of Node.js, security software will think it’s a common application. On top of that, the attacker can connect to the affected device at any time and execute commands remotely.

Microsoft doesn’t attribute this campaign to a known threat actor. Nor does the tech company say what the attackers do once they’ve infected systems, or which hotels were targeted.

jurgita justinasv Izabelė Pukėnaitė vilius Ernestas Naprys Gintaras Radauskas
Don't miss our latest stories on Google News. Add us as your Preferred Source on Google
Follow us

Earlier this month, dozens of hotels in Belgium, Ireland, and the Netherlands were targeted by an unknown threat actor who stole customer data and reservation information.

ADVERTISEMENT

Victims were flooded with phishing attempts to trick them into transferring money to scammers’ bank accounts, causing thousands of euros in damages in some cases.

The Dutch data protection authority (AP) has launched an investigation into the data breaches.

Unlock more exclusive Cybernews content on YouTube.

Share
Post
Share
Share
Share
More from Cybernews
DuckDuckGo AI hallucinates Trump's death after AI data poisoning campaign
Peppa Pig AI contract sparks fears over child actors signing away their voices
Microsoft increases Xbox prices again: “Never thought I'd see the day video games become an investment”
UK hospital reports itself after 40 staff accessed crocodile attack victim’s records
Microsoft extends Windows 10 update program as users refuse to upgrade
Australia tightens teen social media ban amid Reddit reports of easy bypassing
ADVERTISEMENT