TREND Micro identified a new malware named TONResolver targeting Booking.com partner hotels primarily in Japan, using phishing tactics that pose as guest complaints to deliver the malware. The attackers utilize a ZIP file containing a shortcut that executes a PowerShell script to install a Node.js-based Remote Access Trojan (RAT). Notably, the malware hides its command-and-control (C2) server within the TON blockchain, allowing flexibility in communication even if one server is blocked.
Researchers have not attributed the attacks to a specific threat actor, emphasizing the need for increased training and awareness among hotel staff to mitigate such risks.