Cybercriminals are conducting a sophisticated phishing campaign against employees of hotels and accommodations partnered with Booking.com, primarily targeting Japanese hospitality organizations. The attackers send emails impersonating guest complaints and review requests, tricking staff into downloading malicious files that install TONResolver, a remote access trojan that uses blockchain technology for command-and-control operations. Trend Micro's TrendAI Research unit detected the campaign in late May 2026, with activity continuing through June.
The phishing emails arrive with subject lines such as "Important: Guest Stay Review Request" in Japanese, designed to engage targets in conversation. Follow-up messages contain links that download ZIP files containing shortcut link (LNK) files disguised as photos. When executed, these files trigger PowerShell scripts that install the TONResolver malware. The attackers bypass traditional email security controls by sending messages through the notification functionality of scheduling tool services, circumventing Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and Domain-based Message Authentication, Reporting, and Conformance (DMARC) protections.
TONResolver represents a significant technical advancement in malware design. The malware uses The Open Network (TON) blockchain platform as a dead drop resolver, allowing attackers to update command-and-control server destinations without hardcoding them into the malware itself. This technique makes detection and takedown substantially more difficult. The attackers packaged the malware as a Node.js application and applied virtual machine-based obfuscation, wrapping the code inside a protected execution environment that prevents security researchers from easily inspecting its logic through static analysis. The malware establishes a persistent connection with attacker servers, enabling remote command execution and additional payload deployment.
While Japanese hotels represent the primary target, TrendAI researchers identified victims in Austria, Australia, France, Germany, Indonesia, Italy, the Netherlands, Russia, South Korea, Turkey, the United Kingdom, and the United States. The malware does not immediately steal files or credentials upon execution but instead creates a backdoor that allows attackers to selectively target victims based on endpoint details and IP address information. Researchers observed new domain registrations and command-and-control server switching throughout the campaign, indicating active monitoring of attack success rates.
TrendAI researchers recommend several defensive measures. Organizations should deploy proxy gateways on internet-facing endpoints to block access to blockchain platforms like TON. Application control policies should monitor and restrict Node.js execution, particularly instances creating autorun entries or executing from unexpected locations. Endpoint firewalls should restrict outbound communications initiated by PowerShell to external IP addresses, and web gateways should block HTTP requests containing PowerShell-based User-Agent strings. These controls can significantly reduce exposure to this type of blockchain-enabled malware campaign.
Source: https://www.infosecurity-magazine.com/news/hackers-blockchain-japan-hotels/