At a glance
| Malware family | Node.js backdoor (tracked as “TonRAT” by some researchers) |
| Threat actor | Unattributed; no named group |
| Target / victims | Hospitality sector; hotel staff |
| Delivery vector | Booking-themed phishing email to a ZIP with a malicious LNK |
| Key capabilities | Remote code execution, payload download, persistence, blockchain-based C2 |
| Source | LevelBlue Managed Threat Research |
TL;DR
LevelBlue has detailed a phishing campaign that drops a Node.js backdoor on hotel systems. The attack hides its command server on the TON blockchain, so takedowns barely dent it. Booking-themed emails start the chain, and a fake image shortcut kicks it off.
Delivery
The campaign targets the hospitality sector. Attackers send booking-themed spam to hotel staff. Each email carries a Google Share link, which helps it slip past email filters.
That link then redirects the victim to a ZIP archive. Inside sits a Windows shortcut disguised as a photo. As LevelBlue notes, “The LNK file uses an icon from shell32.dll to make it look like an image file.” One click starts the infection.
Infection chain
The shortcut runs a hidden PowerShell command. That command rebuilds a concealed web address from two very large numbers. Next, it checks whether Node.js already exists on the machine.
If not, the script pulls a legitimate Node.js runtime from the official site. It then decrypts the next stage with AES. Finally, the Node.js runtime executes the decoded JavaScript payload.
A backdoor that hides its own logic
The JavaScript is heavily obfuscated. Instead of running plain code, it drives a custom bytecode virtual machine. “The malware interprets encoded bytecode at runtime, making static analysis more difficult,” LevelBlue wrote. This design helps the Node.js backdoor dodge detection.
Command-and-control on the blockchain
The most notable trick sits in the C2 step. The backdoor uses the EtherHiding technique to fetch its server address from the TON blockchain. It queries a public TON API, reads a smart contract, and pulls the current domain.
This approach gives attackers durable control. They can swap the C2 domain by editing the smart contract. As LevelBlue explains, that lets them update the address “whenever the active C2 domain is blocked or taken down, without modifications to the malware itself.”
After it resolves the domain, the backdoor opens a WebSocket link to the server. Both sides then set up an encrypted channel through a key exchange. From there, the operator can run commands and push more payloads.

What the backdoor can do
The implant supports remote code execution. It can download and run Windows programs, plus PowerShell and JavaScript. Before it runs a file, it checks for a valid Windows executable header. It also adds a Microsoft Defender exclusion for its own dropped file, which helps it avoid scans.
Who is behind it
LevelBlue did not attribute the campaign to any named group. So treat attribution as unconfirmed. Independent analysts at SOC Prime tracked the same activity and named the payload “TonRAT.” Separately, Google has tied EtherHiding to North Korean actors in other campaigns, yet that link does not extend to this one.
The activity looks active and growing. “New samples are being observed daily,” LevelBlue reported. Over 400 samples share one machine identifier, with the earliest dating to March 2026.
How to defend against this Node.js backdoor
Watch for node.exe running from user folders such as LocalAppData. Flag PowerShell that rebuilds strings from huge numbers. Also monitor outbound traffic to public TON API endpoints and unusual WebSocket links.
Beyond that, tighten email filtering against booking-themed lures. Block shortcut files packed inside ZIP archives at the gateway. For full indicators and detection tips, see LevelBlue’s breakdown of the TON blockchain attack chain.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.