Back to Intelligence

Defending Against the Photo ZIP Campaign: Node.js Implant Detection in Hospitality

SA
Security Arsenal Team
June 26, 2026
7 min read

Microsoft Threat Intelligence has identified a highly active, multi-stage intrusion campaign specifically targeting the hospitality sector across Europe and Asia. This campaign, active as of June 2026, abandons traditional malware binaries in favor of a stealthier approach: delivering a persistent Node.js implant via photo-themed ZIP archives containing malicious shortcut files.

For defenders, this represents a significant shift in attacker TTPs (Tactics, Techniques, and Procedures). By abusing legitimate development tools like Node.js and relying on social engineering rather than pure software exploits, threat actors are effectively bypassing static signature-based defenses. The hospitality industry, often characterized by high turnover, decentralized IT management, and a heavy reliance on external communications, is the prime target. This post provides a technical breakdown of the attack chain and actionable detection logic to hunt for this threat in your environment.

Technical Analysis

Attack Vector: Phishing emails delivering compressed archives (.zip) masquerading as legitimate content, typically labeled with themes like "Photos," "Reservations," or "Guest Info."

Initial Access: The crux of this campaign lies inside the archive. Victims extract a file that appears to be an image (e.g., photo.jpg), but is actually a Windows Shortcut (.lnk) file exploiting a double-extension trick (e.g., photo.jpg.lnk) or simply utilizing a custom icon to mimic an image file.

Execution and Payload Delivery: When the user clicks the fake image:

  1. The LNK file executes a command-line interface (CLI) instruction, typically invoking PowerShell or CMD.
  2. This shell script reaches out to a threat-controlled server to retrieve the payload.
  3. Instead of a .exe, the payload is a Node.js application.

Persistence and Evasion: The attackers deploy a Node.js implant. This choice is strategic:

  • Living off the Land (LotL) Lite: Node.js is a legitimate, common utility in many environments, especially in hospitality booking systems. Its execution may not trigger immediate alarms compared to a suspicious executable.
  • Cross-Platform Capability: Node.js scripts run easily on Windows, Linux, and macOS, offering the attackers flexibility.
  • C2 Flexibility: The implant can utilize standard web protocols (HTTPS, WebSockets) for Command and Control (C2), blending in with normal web traffic.

Exploitation Status: Confirmed active exploitation in the wild. No CVE is required for this intrusion; it relies entirely on social engineering and the abuse of native functionality.

Detection & Response

Identifying this campaign requires focusing on the anomalous use of Node.js and the specific delivery mechanism via LNK files.

SIGMA Rules

The following Sigma rules target the suspicious execution of Node.js from user directories and the initial access vector involving LNK extraction.

YAML
---
title: Suspicious Node.js Execution from User Directory
id: 9e8f1c23-0a72-4e3a-b8c5-1d2f3b4c5d6e
status: experimental
description: Detects Node.js executing scripts from user profile directories or temporary folders, a common behavior for implants rather than legitimate dev servers.
references:
  - https://attack.mitre.org/techniques/T1059/
author: Security Arsenal
date: 2026/06/25
tags:
  - attack.execution
  - attack.t1059.003
logsource:
  category: process_creation
  product: windows
detection:
  selection_img:
    Image|endswith: '\node.exe'
  selection_path:
    CommandLine|contains:
      - '\AppData\Local\Temp'
      - '\AppData\Roaming'
      - '\Downloads'
  filter_legit:
    ParentImage|contains:
      - '\Program Files\'
      - '\Visual Studio'
      - '\JetBrains'
  condition: selection_img and selection_path and not filter_legit
falsepositives:
  - Developers running scripts locally (should be filtered by parent process if IDE is used)
level: high
---
title: PowerShell Spawning Node.js Process
id: 8b7f2d14-9e4b-4d67-bc12-3e5a8f901234
status: experimental
description: Detects PowerShell spawning a Node.js process. This is highly indicative of the stage where the LNK payload downloads and executes the implant.
references:
  - https://attack.mitre.org/techniques/T1059/
author: Security Arsenal
date: 2026/06/25
tags:
  - attack.execution
  - attack.t1059.001
logsource:
  category: process_creation
  product: windows
detection:
  selection_parent:
    ParentImage|endswith: '\powershell.exe'
  selection_child:
    Image|endswith: '\node.exe'
  condition: selection_parent and selection_child
falsepositives:
  - Legitimate build scripts or automation (rare in hospitality front-desk environments)
level: high
---
title: Suspicious LNK File Creation in Downloads
id: 1a2b3c4d-5e6f-7g8h-9i0j-1k2l3m4n5o6p
status: experimental
description: Detects the creation of .lnk files in Downloads or Desktop directories, potentially indicating the delivery mechanism of the Photo ZIP campaign.
references:
  - https://attack.mitre.org/techniques/T1204/
author: Security Arsenal
date: 2026/06/25
tags:
  - attack.initial_access
  - attack.t1566.001
logsource:
  category: file_create
  product: windows
detection:
  selection:
    TargetFilename|contains:
      - '\Downloads\'
      - '\Desktop\'
    TargetFilename|endswith: '.lnk'
  filter_legit:
    Image|contains:
      - '\Program Files\'
      - '\Windows\System32\'
  condition: selection and not filter_legit
falsepositives:
  - Users manually creating shortcuts
level: medium

KQL (Microsoft Sentinel)

Use this query to hunt for the sequence of events: a user extracting a ZIP followed by PowerShell activity and subsequent Node.js execution.

KQL — Microsoft Sentinel / Defender
// Hunt for Node.js implants preceded by PowerShell or ZIP extraction
let ProcessEvents = DeviceProcessEvents
| where Timestamp > ago(7d);
let NodeProcesses = ProcessEvents
| where FileName =~ "node.exe"
| where ProcessCommandLine has "AppData" or ProcessCommandLine has "Downloads";
let SuspiciousPowerShell = ProcessEvents
| where FileName =~ "powershell.exe"
| where ProcessCommandLine has "Invoke-WebRequest" or ProcessCommandLine has "DownloadString";
NodeProcesses
| join kind=inner (SuspiciousPowerShell) on DeviceId, AccountName
| project Timestamp, DeviceName, AccountName, NodeCommand=ProcessCommandLine1, PowerShellCommand=ProcessCommandLine, InitiatingProcessFileName
| order by Timestamp desc

Velociraptor VQL

This artifact hunts for suspicious LNK files in user directories and analyzes Node.js processes running from non-standard locations.

VQL — Velociraptor
-- Hunt for Photo ZIP LNK files and Node.js implants
SELECT 
  OSPath,
  Size,
  Mtime
FROM glob(globs="/*/Downloads/*.lnk")
WHERE Mtime > now() - 7d

-- Hunt for Node.js processes running from User space
SELECT 
  Pid, 
  Name, 
  CommandLine, 
  Exe, 
  Username, 
  Ctime
FROM pslist()
WHERE Name =~ "node"
  AND (Exe =~ "AppData" OR Exe =~ "Downloads" OR Exe =~ "Temp")

Remediation Script (PowerShell)

This script can be run on endpoints to identify and kill suspicious Node.js processes associated with this campaign and identify malicious LNK files.

PowerShell
# Identify and terminate suspicious Node.js processes
$suspiciousProcesses = Get-Process -Name "node" -ErrorAction SilentlyContinue | Where-Object {
    $_.Path -match "AppData" -or $_.Path -match "Downloads" -or $_.Path -match "Temp"
}

if ($suspiciousProcesses) {
    Write-Host "[!] Found suspicious Node.js processes. Terminating..." -ForegroundColor Red
    $suspiciousProcesses | ForEach-Object {
        Write-Host "Terminating PID $($_.Id) path: $($_.Path)"
        Stop-Process -Id $_.Id -Force
    }
} else {
    Write-Host "[+] No suspicious Node.js processes found." -ForegroundColor Green
}

# Scan for recently created LNK files in Downloads
$downloadsPath = Join-Path -Path $env:USERPROFILE -ChildPath "Downloads"
$cutoffDate = (Get-Date).AddDays(-7)

Write-Host "[*] Scanning for LNK files created in the last 7 days in Downloads..."
Get-ChildItem -Path $downloadsPath -Filter *.lnk -Recurse -ErrorAction SilentlyContinue | 
Where-Object { $_.LastWriteTime -gt $cutoffDate } | 
Select-Object FullName, LastWriteTime

Remediation

Immediate Action:

  1. Isolate Affected Hosts: If detection rules trigger, isolate the machine from the network immediately to prevent C2 communication or lateral movement.
  2. Kill Processes: Terminate any instances of node.exe running from AppData, Temp, or Downloads folders.
  3. Remove Artifacts: Delete the downloaded ZIP archives and the fake image LNK files. Check for startup folders containing references to Node.js scripts.

Long-Term Protections:

  1. Email Gateway Hardening: Configure email security gateways to block or sandbox ZIP archives containing .lnk files. Mark emails with generic subjects like "Photos" or "Reservations" coming from external sources as suspicious.
  2. Application Allowlisting: Restrict the execution of node.exe to specific approved directories (e.g., Program Files) and specific user groups (e.g., Developers). Block execution from user profile directories for general staff.
  3. User Education: Immediately brief hospitality staff—specifically front-desk and reservation teams—on the dangers of opening "Photo" attachments from unknown senders. Emphasize that a file ending in .zip should never contain an executable or shortcut.
  4. Macro/Script Blocking: Ensure PowerShell Constrained Language Mode is enforced where possible, and consider blocking mshta.exe and powershell.exe for users who do not require it for their daily duties.

Related Resources

Security Arsenal Healthcare Cybersecurity AlertMonitor Platform Book a SOC Assessment healthcare Intel Hub

healthcare-cybersecurityhipaa-compliancehealthcare-ransomwareehr-securitymedical-data-breachhospitalitynode.jssocial-engineering

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action