Phishing Campaigns Target Hospitality Organizations in Europe and Asia

Researchers from Microsoft and Trend Micro say they have observed separate but related phishing campaigns aimed at hospitality organizations in Europe and Asia. The attacks rely on malicious ZIP archi...

Researchers from Microsoft and Trend Micro say they have observed separate but related phishing campaigns aimed at hospitality organizations in Europe and Asia. The attacks rely on malicious ZIP archives delivered through social engineering, with the goal of infecting victims’ systems and maintaining access once inside a network.

According to the reports, the campaigns use a mix of deception and technical concealment to increase their chances of success. Attackers package harmful files inside compressed archives and use misleading messages to persuade recipients to open them. Once the files are launched, the malware is designed to establish persistence, allowing the threat actor to remain on the system even after a reboot or basic cleanup effort.

The researchers also noted that the operators employ multiple layers of obfuscation to make analysis more difficult. In at least one case, blockchain-related infrastructure was used as part of the attack chain, illustrating how criminal groups continue to experiment with unconventional services to hide command-and-control activity and blend in with legitimate traffic.

Hospitality companies are attractive targets because they often manage large volumes of customer data, process reservations and payments, and operate across multiple locations. That combination can make them vulnerable to phishing, especially when employees are accustomed to receiving files from suppliers, travel partners or internal business units.

Key points from the activity

  • Malicious ZIP files were used as the initial delivery method.
  • Social engineering was used to trick recipients into opening the archives.
  • The malware focused on persistence, helping attackers keep access over time.
  • Obfuscation and blockchain abuse were used to reduce visibility and complicate detection.

Security teams are typically advised to treat unexpected attachments with caution, especially compressed files that contain scripts or executables. Verifying sender identity, limiting attachment handling, and monitoring for unusual persistence mechanisms can help reduce the risk of compromise.