
A new malware strain dubbed TONResolver has been discovered targeting Booking.com partner hotels across Japan, arriving through phishing emails that masquerade as guest complaints according to TrendMicro.
The attack begins with a ZIP archive containing a Windows shortcut that, when opened, runs a PowerShell script to download and install a Node.js based remote access trojan as reported by SecurityOnline.
The trojan then registers its command‑and‑control infrastructure inside transactions on the TON blockchain, allowing the attackers to switch servers without rewriting the malware.
TrendMicro first observed the campaign on 30 June 2026 with activity continuing through early July, though no specific threat actor has been linked to the incidents per InfoSec Magazine.
By hiding C2 details in a public blockchain the operators gain resilience against takedowns, a technique that is increasingly seen in financially motivated campaigns targeting the hospitality sector.
Defenders should advise hotel staff to treat unexpected attachments, especially shortcuts inside ZIP files, as suspicious and to verify any complaint through an alternative channel before opening them.
Technical controls include blocking execution of scripts from unverified locations, monitoring PowerShell and Node.js processes for unusual outbound connections, and applying application‑control policies that only allow approved binaries to run.