Cyber threat actors are targeting employees of Booking.com partner accommodations in Japan, using phishing emails that impersonate guest complaints and review requests to trick hotel staff into executing malicious files.

The malware delivered through this campaign, TONResolver, is hosted on a smart contract and leverages blockchain technology – specifically, The Open Network (TON) blockchain platform.

It functions as an initial access and command-execution foothold, with follow-on activity indicating potential credential theft and further compromise.

Phishing Emails to Booking.com Partners

The campaign was detected by TrendAI Research, Trend Micro’s research unit, in late May 2026.

Suspicious emails had been sent to Japanese partner companies of Booking.com, with the subject line “Important: Guest Stay Review Request” in Japanese. These emails are aimed to engage the target to converse with the attacker.

Follow-up emails sent by the threat actor contained a hyperlink that both led to a suspicious website and downloaded a ZIP file.

Within the ZIP file lied a shortcut link file (LNK) disguised as a photo file that led to the installation of TrojanSpy.JS.TONRESOLVER.A – a malware implant functioning as a remote access trojan (RAT), that TrendAI researchers also refer to simply as TONResolver – via a PowerShell script.

Other malicious emails were sent with different subject lines, some in English, to other Booking.com accommodation partners in Japan and in other countries, such as Austria, Australia, France, Germany, Indonesia, Italy, the Netherlands, Russia, South Korea, Turkey, the UK and the US.

However, Japanese hospitality organizations were by far the main targets, said a TrendAI report published on June 29.

These emails have been sent using the notification functionality of a scheduling tool service, meaning they bypassed traditional email security controls based on domain authentication technologies such as Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM) and Domain-based Message Authentication, Reporting, and Conformance (DMARC).

Malware Infrastructure on TON Blockchain

Unlike conventional phishing campaigns, the malware implant delivered through this campaign, TONResolver, abuses the TON blockchain platform as a dead drop resolver. This technique allows attackers to update their command-and-control (C2) server destination without hardcoding it into the malware, making detection and takedown significantly more difficult.

TON was initially developed by Telegram under the name Telegram Open Network, but is currently developed and operated primarily by the TON Foundation.

To further evade detection, the attacker packaged the malware as a Node.js application and applied virtual machine-based obfuscation, a method that wraps the code inside a protected execution environment, preventing security researchers from easily inspecting its logic through static analysis alone.

This combination of techniques makes reverse engineering the malware a significant challenge.

While executing the LNK file and running TONResolver via Node.js does not immediately result in file or credential theft, the malware establishes a persistent "keepalive" connection with the attacker's server.

This backdoor capability allows the attacker to execute additional commands and deploy further payloads at will, suggesting that victims are selectively targeted for follow-up attacks based on their endpoint details and IP address information.

“In alignment with the campaign's progression, new domain registrations and C2 server switching were also carried out, indicating that the attackers are constantly monitoring attack trends and success rates,” said the TrendAI researchers.

TrendAI’s Recommended Mitigation Measures

Based on their findings, TrendAI researchers recommended the following measures to mitigate this type of threat:

• Restrict access to blockchain platforms: Deploy a proxy gateway on internet-facing endpoints and enforce connection filtering to block access to blockchain platforms such as the TON network
• Monitor and restrict Node.js execution: mplement application control policies to monitor and restrict suspicious use of Node.js, particularly any instances where it creates autorun entries or executes from unexpected locations
• Block unauthorized PowerShell network communications: Using endpoint firewall capabilities, restrict outbound communications initiated by PowerShell to external IP addresses
• Filter PowerShell-based web requests: Configure web gateway or internet access policies to block outbound HTTP requests containing PowerShell-based User-Agent strings