CYBERCRIMINALS are targeting Booking.com partner hotels in Japan through phishing emails that impersonate guest complaints. The campaign, detected by TrendAI in May 2026, utilizes malware named TONResolver, hosted on The Open Network (TON) blockchain. This malware acts as a remote access trojan (RAT), allowing attackers persistent access to infected systems. The phishing emails initially prompt hotel staff to execute a malicious file disguised as a photo.
TrendAI recommends several mitigation measures, including restricting access to blockchain platforms and monitoring Node.js executions to counter this sophisticated threat.