A new wave of phishing attacks has been observed targeting the Japanese hotel industry, specifically partners of Booking.com. Attackers utilize emails disguised as guest complaints or review requests to deliver a malicious ZIP archive. Once a victim executes the included shortcut (LNK) file, a multi-stage infection chain begins, involving PowerShell scripts that eventually deploy a Node.js-based Remote Access Trojan (RAT) dubbed TONResolver.
TONResolver distinguishes itself by leveraging The Open Network (TON) blockchain as a 'dead drop resolver.' By querying a specific smart contract via the legitimate TonAPI service, the malware can dynamically retrieve its command-and-control (C2) server domain. This technique allows threat actors to update infrastructure seamlessly even if specific domains are blocked. Observed follow-on activities include credential theft from major web browsers and persistent monitoring of infected endpoints via an encrypted WebSocket connection.
Top comments (0)