RAT Abuses TON Blockchain to Target Japan's Hotel Industry
Essential information
- Published
- 29/06/2026 22:24
- Modified
- —
- Source / Author
- AlienVault
- Confidence
- 100/100
- Report type(s)
- threat-report
- Labels / Tags
- booking.com credential theft dead drop resolver hotel industry japan targeting node.js abuse phishing campaign ton blockchain tonresolver
- Related entities
- 1 vulnerabilities (cve), 140 indicators, 127 observables, 18 techniques (mitre), 1 malware
Description
A sophisticated phishing campaign observed in May 2026 targets Japanese accommodation facilities partnering with Booking.com. Attackers impersonate guest complaints and review requests through emails, tricking hotel staff into downloading malicious ZIP files containing shortcut links disguised as photos. The malware, TONResolver, employs The Open Network blockchain platform as a dead drop resolver to dynamically retrieve command-and-control server addresses, making detection and takedown difficult. The attack uses Node.js with VM-based obfuscation and establishes encrypted WebSocket connections using ECDH key exchange and AES-256-CBC encryption. Two delivery methods were identified: bulk phishing and conversational attacks via Gmail that build trust before delivering malicious URLs. Once infected, endpoints maintain persistent Keepalive connections awaiting attacker commands for credential theft and additional malware deployment, with observed follow-on activity targeting browser-stored credentials from Ch...