Photo-ZIP Phishing Delivers TonRAT Node.js Implant to Hotel Front-Desk Systems Since April 2026

The campaign exploits hospitality workflows with lures referencing bedbug complaints, health inspections, and Booking.com reviews. Messages pass SPF/DKIM/DMARC via Calendly infrastructure before chaining through share.google to Cloudflare-fronted .cfd domains protected by Turnstile. Victims open LNK shortcuts that execute PowerShell, decode a download URL via BigInt arithmetic, and fetch a legitimate Node.js v24.13.0 binary plus JavaScript payload. No system Node install is required. SOC Prime and ITOCHU previously documented the same LNK-to-PowerShell-to-Node chain targeting the same sector two weeks earlier. Evidence shows two persistence mechanisms: a RunOnce entry under ProgramData and a Node.js entry under the user Run key, plus files staged in AppData\Local\Nodejs. The implant resolves C2 domains dynamically via the TON blockchain API before opening encrypted WebSockets and beaconing to non-standard ports including 8443, 8445, and 56001-56003. Some infections also performed headless browser automation and geolocation checks. Microsoft reports no confirmed data theft or ransomware deployment to date. Booking-themed phishing against hotels has recurred in prior ClickFix campaigns that harvested Booking.com credentials with PureRAT. The absence of named attribution and unclear end goal distinguish this activity from commodity crime. Durable access combined with easy-to-miss dual persistence paths suggests reconnaissance or future monetization rather than immediate disruption. Front-desk, reservations, and property-management workstations remain the highest-risk endpoints. Defenders must remove both persistence artifacts and the dropped Node runtime simultaneously. Continued monitoring of TON-resolved domains and non-standard port traffic from hospitality networks is required to detect follow-on activity.