Attack flow from TONResolver to subsequent malware infection | Image: TrendMicro
| At a glance | |
|---|---|
| Malware | TONResolver (RAT; also tracked as TonRAT by Microsoft; detected as TrojanSpy.JS.TONRESOLVER.A) |
| Threat actor | Not attributed; lures resemble APT tradecraft |
| Targets | Staff at Booking.com partner hotels, mainly in Japan |
| Delivery | Phishing posing as guest complaints; LNK disguised as a photo inside a ZIP |
| Capabilities | Node.js RAT, blockchain-based C2 resolution, remote command and PowerShell execution |
| Source | Trend Micro (Trend Research); Microsoft |
TL;DR
Trend Micro found TONResolver malware targeting Booking.com partner hotels, mostly in Japan. The phishing lure poses as an angry guest complaint. Once it runs, the malware hides its command server inside the TON blockchain.
How TONResolver malware reaches victims
The campaign starts with email. Attackers pose as Booking.com support and forward fake guest complaints. One lure claims a child was bitten by bed bugs and demands urgent action.
The emails arrived through a scheduling tool’s notification feature. That detail let them slip past SPF, DKIM, and DMARC checks. Trend Micro detailed the full chain in its TONResolver analysis.
Some attacks went further still. In a “conversational” variant over Gmail, the sender first asked an innocent booking question. After a reply, a follow-up email carried the malicious link. That trust-building step mirrors APT tradecraft.
The infection chain
A link in the email downloads a ZIP file. Inside sits a shortcut file disguised as a photo. When the user clicks it, a hidden PowerShell command runs.
The script rebuilds a download domain from math, then pulls a second script. That script quietly installs a real copy of Node.js on the machine. Finally, it runs the JavaScript payload, TONResolver, through Node.
Notably, the staging server only answers requests that carry a PowerShell user agent. A normal browser receives a 404. That check helps the operators dodge casual inspection.
How TONResolver malware hides its C2
Here is the standout trick. As Trend Micro puts it, “the malware abuses The Open Network (TON) blockchain platform as a dead drop resolver.”
The operator stores the live command-server domain inside a TON smart contract. The malware reads it through a public TON API. If defenders block one server, the attacker writes a new domain to the contract. Traffic then shifts on its own, with no new malware needed.
The malware connects to that server over an encrypted WebSocket. It exchanges keys with ECDH and derives an AES-256 session key. So network tools see little useful plaintext.
What it does on the host
TONResolver sets persistence entries and uses a mutex to avoid running twice. Then it sends host details: username, hostname, OS, CPU, memory, and MAC address. After that, it pings the server every 20 seconds and waits.
The implant accepts several command types. These include running arbitrary JavaScript, fetching and launching files, and executing PowerShell. Trend assesses the malware as an initial foothold, with credential theft as likely follow-on activity.
Two names, one campaign
Microsoft tracked the same operation and named the implant TonRAT. SOC Prime also published a technical breakdown. The dead-drop trick is not unique to this case. Other crews now hide C2 data on Ethereum and Solana, a pattern logged in the MITRE ATT&CK framework.
Who is behind it
Neither Trend Micro nor Microsoft tied the campaign to a named group. Researchers linked the domains through shared Cloudflare name-server pairs and one disposable registrant email. So attribution stays open for now.
No vendor published a victim count. Trend’s telemetry showed the heaviest access from Japan between mid-May and early June 2026.
How to stay protected
Train hotel and front-desk staff to treat complaint emails with care. Be wary of ZIP files and photo “shortcuts” from outside contacts. Confirm guest issues through the official Booking.com partner portal, not email links.
For defenders, restrict PowerShell and watch for Node.js running from a user profile folder. Then flag odd WebSocket traffic and connections to public blockchain APIs from those processes. If you suspect a hit, isolate the endpoint fast, since it may already await commands.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.