Japan’s hotel sector is the latest target of a sophisticated phishing and remote-access trojan (RAT) campaign that leverages guest-complaint lures and an unusual resilience mechanism: a TON blockchain–based dead-drop resolver.
Beginning in late May 2026, attackers sent highly targeted emails to Booking.com partner properties in Japan with subject lines such as “重要:ゲスト滞在レビュー依頼” (Important: Guest Stay Review Request) and “【重要】お客様からの重大な苦情に関するご連絡.”
The messages requested that staff review photos or evidence via a hyperlink. When recipients clicked, they downloaded a ZIP that contained a shortcut (LNK) impersonating an image; execution of that LNK kicked off a multi-stage infection chain that ultimately loads a Node.js–based RAT called TONResolver (detected as TrojanSpy.JS.TONRESOLVER.A).
Delivery was not monolithic. Researchers observed both bulk phishing and “conversational” attacks using Gmail: attackers first exchange innocuous messages to build trust, then follow up with the malicious link.
The campaign also abused a scheduling tool’s notification functionality to send deceptive emails, which reduced the effectiveness of domain authentication controls such as SPF, DKIM, and DMARC.
Hyperlink anchor text commonly urged recipients to “Download Photos and Videos” or “証拠写真・動画を確認する,” increasing the social-engineering pressure on frontline staff tasked with guest complaints.
The infection chain is intentionally complex to evade detection and persistence removal. The LNK launches PowerShell that reconstructs an encoded domain by arithmetic on very large integers (using System.Numerics.BigInteger), requests a PS1 payload only when the User-Agent indicates PowerShell, and runs the script hidden from view.
TrendMicro said in a report shared with GBhackers, Attackers are targeting employees of Booking.com partner companies in Japan, using phishing emails that impersonate guest complaints.
Japan Hotel Industry Targeted
The PS1 places Node.js under %USERPROFILE%AppDataLocalNodejs (the malware fetches an official Node v24.13.0 distribution if node.exe is absent), drops an obfuscated JavaScript payload and launches it with node.exe.
The “ghastlier” domain used in the Registrant Email is a disposable email domain, making long-term continued use difficult.
Domains linked to the same attacker (or attack group) fell into four top-level domain (TLD) groups, all of which delivered the same initial payload on request.
That JavaScript implements VM-based obfuscation and a custom interpreter, complicating static analysis.
TONResolver’s distinguishing capability is resolving its command-and-control (C&C) address via a TON (The Open Network) smart contract accessed through TonAPI.
Instead of hardcoding a C&C domain, the malware queries a smart-contract method (methods/get_domain) exposed through tonapi[.]io; the attacker writes new C&C domains into the contract, enabling seamless server swaps if a current C&C is blocked or taken down.
TrendMicro telemetry shows multiple domains were written to the contract over time, and transaction timestamps map to domain changes evidence the actor actively rotates infrastructure.
Once connected to the retrieved C&C via WebSocket, TONResolver performs an ECDH secp256k1 key exchange, derives AES keys with HKDF-SHA256, and communicates with AES-256-CBC encryption.
Observed behavior includes persistent keepalive pings, endpoint profiling (username, hostname, OS, CPU, memory, MAC, and the initial domain argument), and a command set that can execute arbitrary JavaScript, fetch and run files, or execute PowerShell.
The RAT’s capabilities and persistence mechanisms make it an effective initial-access foothold for follow-on activity.
TrendAI Vision One MDR observed subsequent deployment of additional binaries that targeted local browser stores and lsass.exe classic indicators of credential theft attempts.
The adversary’s workflow is clear: socially engineered email → LNK execution → staged PowerShell → Node.js payload → TON smart-contract resolution → stealthy RAT persistence → selective secondary compromise.
Defenders should treat any guest-complaint attachments or photo links as high risk, enforce network-layer egress filtering for suspicious TLDs and child domains, enable application allowlisting for PowerShell and node.exe, monitor outbound WebSocket and unusual User-Agent strings, and inspect TON contract transactions for abuse.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
