216.73.216.169

RAT Abuses TON Blockchain to Target Japan's Hotel Industry

· Published 29/06/2026 22:24

Export JSON

Essential information

Published
29/06/2026 22:24
Modified
Source / Author
AlienVault
Confidence
100/100
Report type(s)
threat-report
Labels / Tags
booking.com credential theft dead drop resolver hotel industry japan targeting node.js abuse phishing campaign ton blockchain tonresolver
Related entities
1 vulnerabilities (cve), 140 indicators, 127 observables, 18 techniques (mitre), 1 malware

Description

A sophisticated observed in May 2026 targets Japanese accommodation facilities partnering with . Attackers impersonate guest complaints and review requests through emails, tricking hotel staff into downloading malicious ZIP files containing shortcut links disguised as photos. The malware, TONResolver, employs The Open Network blockchain platform as a to dynamically retrieve command-and-control server addresses, making detection and takedown difficult. The attack uses Node.js with VM-based obfuscation and establishes encrypted WebSocket connections using ECDH key exchange and AES-256-CBC encryption. Two delivery methods were identified: bulk phishing and conversational attacks via Gmail that build trust before delivering malicious URLs. Once infected, endpoints maintain persistent Keepalive connections awaiting attacker commands for and additional malware deployment, with observed follow-on activity targeting browser-stored credentials from Ch...

External references