Hospitality sector targeted in clever phishing campaign
A phishing campaign disguised as guest complaints has been quietly targeting hospitality workers since April 2026, installing a remote access tool called TonRAT on compromised devices. The emails arrive under the sender name Booking Manager (via Calendly) and warn of issues like bedbug infestations or health inspections, but their real purpose is to bypass email security and trick staff into running malicious code.
A multi-layered delivery chain
Microsoft Threat Intelligence reports that attackers use a technique called authentication laundering to fool security systems. They route emails through Calendly’s notification system and Google’s URL shortening, passing standard email authentication checks like SPF, DKIM, and DMARC. Victims are then sent through four redirection hops—ending at a recently registered Cloudflare domain protected by a Turnstile challenge. This challenge acts as both an anti-analysis gate and a geolocation filter before the malware is delivered.
Evolving obfuscation to evade detection
The downloaded archive contains a Windows shortcut file that launches a PowerShell script, which uses arithmetic operations to decode a download URL. Over seven distinct obfuscation phases, the script retrieves a legitimate Node.js runtime and executes a JavaScript implant tracked as TonRAT, installed directly in the user’s AppData folder. In a second wave, the attackers added an intermediate step: compiling a small .NET DLL on the fly to further obscure their activity. Despite these changes, the core logic remains consistent, suggesting the operators are refining their approach rather than changing tactics.
Source: Security Affairs. AI-assisted editorial synthesis — TechnoExpress.