“In alignment with the campaign's progression, new domain registrations and C2 server switching were also carried out, indicating that the attackers are constantly monitoring attack trends and success rates,” said the TrendAI researchers.
How the phishing lure reached hotel staff
TrendAI Research, the research unit of Trend Micro, detected a targeted phishing campaign in late May 2026 that aimed squarely at employees of Booking.com partner accommodations in Japan. Initial messages carried the subject line “Important: Guest Stay Review Request” (presented in Japanese) and were crafted to prompt staff engagement by impersonating guest complaints or review requests. Follow-up emails contained a hyperlink that led to a suspicious website and initiated a ZIP download.
Inside the ZIP archive was a shortcut link file (LNK) disguised as a photo. When executed, the LNK invoked a PowerShell script that installed TrojanSpy.JS.TONRESOLVER.A — the implant TrendAI also calls TONResolver — which functions as a remote access trojan (RAT).
TONResolver: malware hosted on the TON blockchain
Unlike typical campaigns that host configuration data on conventional servers, this operation used The Open Network (TON) blockchain as a dead drop resolver for TONResolver’s command-and-control (C2) instructions. TrendAI’s analysis notes that using a blockchain-based resolver lets attackers update the C2 server destination without hardcoding it into the malware, complicating detection and takedown efforts.
The report also highlights the provenance of the platform: TON was initially developed by Telegram under the name Telegram Open Network and is currently developed and operated primarily by the TON Foundation.
Technical evasions: Node.js packaging, VM obfuscation and email delivery tricks
To frustrate defenders and analysts, the attacker packaged the implant as a Node.js application and applied virtual machine–based obfuscation that wraps the code in a protected execution environment. TrendAI explicitly states that this combination makes reverse engineering a significant challenge and prevents easy static analysis of the malware’s logic.
On the delivery side, the campaign leveraged the notification functionality of a scheduling tool service to send the emails. That choice allowed messages to bypass traditional email security controls that rely on domain authentication technologies such as SPF, DKIM and DMARC.
Scope of targeting and the attacker’s playbook
While malicious emails were observed in multiple countries — including Austria, Australia, France, Germany, Indonesia, Italy, the Netherlands, Russia, South Korea, Turkey, the UK and the US — TrendAI’s June 29 report says Japanese hospitality organizations were by far the main targets. The implant does not immediately exfiltrate files or credentials; instead, executing the LNK and launching TONResolver establishes a persistent “keepalive” connection to the attacker’s server.
That backdoor provides remote command execution and a mechanism to deploy follow-on payloads. TrendAI notes victims appear to be selectively chosen for follow-up based on endpoint details and IP address information, and that attackers have been registering new domains and switching C2 servers as the campaign unfolds.
TrendAI’s mitigation checklist for defenders
- Restrict access to blockchain platforms: deploy a proxy gateway on internet-facing endpoints and enforce connection filtering to block access to blockchain platforms such as the TON network.
- Monitor and restrict Node.js execution: implement application control policies to watch for and block suspicious use of Node.js, particularly when it creates autorun entries or runs from unexpected locations.
- Block unauthorized PowerShell network communications: use endpoint firewall capabilities to restrict outbound communications initiated by PowerShell to external IP addresses.
- Filter PowerShell-based web requests: configure web gateway or internet access policies to block outbound HTTP requests that contain PowerShell-based User-Agent strings.
What this campaign means for Booking.com partners, security teams and procurement leaders
Booking.com partner accommodations: Organizations receiving automated notifications from third-party scheduling tools should treat unexpected review or complaint messages as high risk and validate links and attachments out-of-band before opening them.
Security teams and procurement leaders: The campaign demonstrates two persistent risks — abuse of legitimate notification services to bypass email authentication controls, and the use of decentralized platforms (in this case, the TON blockchain) as resilient infrastructure for C2. Teams should weigh access controls for blockchain platforms, increase monitoring for atypical Node.js execution, and enforce stringent PowerShell egress restrictions as TrendAI recommends.
Attackers in this campaign combined social engineering tailored to hospitality workflows with technical layers designed to resist analysis and fast remediation. TrendAI’s findings underscore that defenders must adjust both mail-handling processes and endpoint controls to respond to a threat that blends legitimate services and decentralized infrastructure.
Original report: https://www.infosecurity-magazine.com/news/hackers-blockchain-japan-hotels/
