Fake Guest Photos Are Handing Hackers Long-Term Access to Hotel Networks

Two separate campaigns are targeting hotel front desks and booking teams with booby-trapped zip files dressed up as guest photographs — and the goal isn't a quick smash-and-grab. It's a quiet, lasting foothold.

ThreatVectr Newsdesk· 3 min read
16:9 editorial photograph, full-frame edge-to-edge, of a hotel front-desk computer monitor glowing in a dimly lit reception area at night, the screen displaying
Share

Key points

  • Microsoft tracked a phishing campaign hitting hotels across Europe and Asia that began at least as early as April 2025.
  • A separate Trend Micro investigation found similar attacks targeting Japanese hotels partnered with Booking.com, discovered in late May 2025.
  • Both campaigns trick staff into opening zip files containing fake image shortcuts that silently install remote-access software.
  • The Trend Micro campaign uses a technique called blockchain command-and-control, which hides the hackers' server address inside a public cryptocurrency network, making it nearly impossible to shut down by conventional means.
  • Neither campaign appears aimed at immediate ransom or theft — the goal is quiet, lasting access for later exploitation.

Hotel staff field dozens of guest requests every shift: complaints about rooms, photos of suspected bedbugs, reservation disputes. Criminals have noticed.

Two separate research teams — one at Microsoft, one at the cybersecurity firm Trend Micro — have documented phishing campaigns, where criminals send fake emails to trick staff into opening dangerous files, aimed squarely at the hospitality industry. The emails mimic exactly the kind of mundane guest correspondence that front-desk and reservations workers handle every day.

How did the hackers get in?

Victims received emails pretending to be from guests — complaints, health inspection notices, stay reviews — with a zip file attached, supposedly containing photographs. Inside the zip was a Windows shortcut file, a type of file normally used to link to an application, disguised to look like an image. Opening it triggered a hidden chain of software instructions that installed a persistent implant — a small, concealed program that stays on the computer and keeps a channel open for the hackers to return through.

Microsoft found that the criminals routed their emails through legitimate services, including the scheduling tool Calendly and Google's link-shortening system, so that standard email security checks would see a trustworthy sender. Microsoft's researchers called this "authentication laundering." Think of it as mailing a threatening letter inside an envelope stamped by a trusted courier: the courier's mark gets past the gate, not the letter's contents.

The Trend Micro campaign went a step further with how it hides its control infrastructure. The malware it delivers, called TONResolver, receives its instructions by looking up an address stored inside a smart contract on The Open Network (TON) blockchain — a public, decentralised ledger most people associate with cryptocurrency. Because no single company owns the blockchain, law enforcement cannot simply seize a server or block a domain to cut off the hackers.

"If the C2 server gets taken down, the attacker just updates the domain inside the smart contract and every infected machine reconnects automatically," Denis Calderone, principal and chief technology officer at Suzu Labs, told Dark Reading. "There's no server to seize and no domain to sinkhole."

This is not a one-off trick. Researchers note the same technique appeared recently in an unrelated supply-chain attack, suggesting it is moving from experimental to routine among criminal groups.

Neither campaign rushed to demand ransom. The priority in both cases was staying hidden — stealing login credentials, moving through the hotel's wider network, or dropping additional malicious software later.

What should hotel staff and guests watch for?

If you work in hospitality: treat any emailed zip file claiming to contain guest photos as suspicious, even if the sender's address looks plausible. Your IT team should be told immediately if you opened one. Guests whose data sits in hotel reservation systems should watch for unexpected account activity or password-reset emails they didn't request.

For IT teams defending these environments, both Microsoft and Trend Micro published detailed lists of warning signs. Calderone's advice was blunt: "Restrict PowerShell and Node.js execution on front-desk and reservation systems at a minimum. If you see node.exe spawning on a reservations terminal, that's your indicator."

© 2026 Threat Vectr