Close Menu
  • Home
  • News
  • Cyber Security
  • Internet of Things
  • Tips and Advice

Subscribe to Updates

Get the latest creative news from FooBar about art, design and business.

What's Hot

Amadey and StealC Malware Network Disrupted, 27M Stolen Credentials Recovered

July 1, 2026

Hackers Leverage Blockchain to Hit Japan’s Hotels Through Booking.com

July 1, 2026

Dawn of the Apex Agentic Adversary

July 1, 2026
Facebook X (Twitter) Instagram
Wednesday, July 1
Facebook X (Twitter) Instagram Pinterest Vimeo
Cyberwire Daily
  • Home
  • News
  • Cyber Security
  • Internet of Things
  • Tips and Advice
Cyberwire Daily
Home»News»Hackers Leverage Blockchain to Hit Japan’s Hotels Through Booking.com
News

Hackers Leverage Blockchain to Hit Japan’s Hotels Through Booking.com

Team-CWDBy Team-CWDJuly 1, 2026No Comments4 Mins Read
Share Facebook Twitter Pinterest LinkedIn Tumblr Reddit Telegram Email
Share
Facebook Twitter LinkedIn Pinterest Email


Cyber threat actors are targeting employees of Booking.com partner accommodations in Japan, using phishing emails that impersonate guest complaints and review requests to trick hotel staff into executing malicious files.

The malware delivered through this campaign, TONResolver, is hosted on a smart contract and leverages blockchain technology – specifically, The Open Network (TON) blockchain platform.

It functions as an initial access and command-execution foothold, with follow-on activity indicating potential credential theft and further compromise.

Phishing Emails to Booking.com Partners

The campaign was detected by TrendAI Research, Trend Micro’s research unit, in late May 2026.

Suspicious emails had been sent to Japanese partner companies of Booking.com, with the subject line “Important: Guest Stay Review Request” in Japanese. These emails are aimed to engage the target to converse with the attacker.

Follow-up emails sent by the threat actor contained a hyperlink that both led to a suspicious website and downloaded a ZIP file.

Within the ZIP file lied a shortcut link file (LNK) disguised as a photo file that led to the installation of TrojanSpy.JS.TONRESOLVER.A – a malware implant functioning as a remote access trojan (RAT), that TrendAI researchers also refer to simply as TONResolver – via a PowerShell script.

Other malicious emails were sent with different subject lines, some in English, to other Booking.com accommodation partners in Japan and in other countries, such as Austria, Australia, France, Germany, Indonesia, Italy, the Netherlands, Russia, South Korea, Turkey, the UK and the US.

However, Japanese hospitality organizations were by far the main targets, said a TrendAI report published on June 29.

These emails have been sent using the notification functionality of a scheduling tool service, meaning they bypassed traditional email security controls based on domain authentication technologies such as Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM) and Domain-based Message Authentication, Reporting, and Conformance (DMARC).

Malware Infrastructure on TON Blockchain

Unlike conventional phishing campaigns, the malware implant delivered through this campaign, TONResolver, abuses the TON blockchain platform as a dead drop resolver. This technique allows attackers to update their command-and-control (C2) server destination without hardcoding it into the malware, making detection and takedown significantly more difficult.

TON was initially developed by Telegram under the name Telegram Open Network, but is currently developed and operated primarily by the TON Foundation.

To further evade detection, the attacker packaged the malware as a Node.js application and applied virtual machine-based obfuscation, a method that wraps the code inside a protected execution environment, preventing security researchers from easily inspecting its logic through static analysis alone.

This combination of techniques makes reverse engineering the malware a significant challenge.

While executing the LNK file and running TONResolver via Node.js does not immediately result in file or credential theft, the malware establishes a persistent “keepalive” connection with the attacker’s server.

This backdoor capability allows the attacker to execute additional commands and deploy further payloads at will, suggesting that victims are selectively targeted for follow-up attacks based on their endpoint details and IP address information.

“In alignment with the campaign’s progression, new domain registrations and C2 server switching were also carried out, indicating that the attackers are constantly monitoring attack trends and success rates,” said the TrendAI researchers.

TrendAI’s Recommended Mitigation Measures

Based on their findings, TrendAI researchers recommended the following measures to mitigate this type of threat:

  • Restrict access to blockchain platforms: Deploy a proxy gateway on internet-facing endpoints and enforce connection filtering to block access to blockchain platforms such as the TON network
  • Monitor and restrict Node.js execution: mplement application control policies to monitor and restrict suspicious use of Node.js, particularly any instances where it creates autorun entries or executes from unexpected locations
  • Block unauthorized PowerShell network communications: Using endpoint firewall capabilities, restrict outbound communications initiated by PowerShell to external IP addresses
  • Filter PowerShell-based web requests: Configure web gateway or internet access policies to block outbound HTTP requests containing PowerShell-based User-Agent strings



Source

Share. Facebook Twitter Pinterest LinkedIn Tumblr Email
Previous ArticleDawn of the Apex Agentic Adversary
Next Article Amadey and StealC Malware Network Disrupted, 27M Stolen Credentials Recovered
Team-CWD
  • Website

Related Posts

News

Amadey and StealC Malware Network Disrupted, 27M Stolen Credentials Recovered

July 1, 2026
News

Dawn of the Apex Agentic Adversary

July 1, 2026
News

Critical SimpleHelp Vulnerability Exploited For Malware Delivery

June 30, 2026
Add A Comment
Leave A Reply Cancel Reply

Latest News

North Korean Hackers Turn JSON Services into Covert Malware Delivery Channels

November 24, 202522 Views

macOS Stealer Campaign Uses “Cracked” App Lures to Bypass Apple Securi

September 7, 202517 Views

North Korean Hackers Target Crypto Firms with ClickFix and Zoom Lures

April 29, 202610 Views

Why SOC Burnout Can Be Avoided: Practical Steps

November 14, 20259 Views

Cyber M&A Roundup: Cyber Giants Strengthen AI Security Offerings

December 1, 20258 Views
Stay In Touch
  • Facebook
  • YouTube
  • TikTok
  • WhatsApp
  • Twitter
  • Instagram
Most Popular

North Korean Hackers Turn JSON Services into Covert Malware Delivery Channels

November 24, 202522 Views

macOS Stealer Campaign Uses “Cracked” App Lures to Bypass Apple Securi

September 7, 202517 Views

North Korean Hackers Target Crypto Firms with ClickFix and Zoom Lures

April 29, 202610 Views
Our Picks

Top IRS scams to look out for in 2026

February 10, 2026

Scams target soccer fans with fake World Cup tickets, merchandise

May 22, 2026

Here’s how to avoid a ‘second strike’

April 11, 2026

Subscribe to Updates

Get the latest news from cyberwiredaily.com

Facebook X (Twitter) Instagram Pinterest
  • Home
  • Contact
  • Privacy Policy
  • Terms of Use
  • California Consumer Privacy Act (CCPA)
© 2026 All rights reserved.

Type above and press Enter to search. Press Esc to cancel.