Researchers at Trend Micro have uncovered a phishing campaign aimed squarely at Japan's hotel industry, one that plants a stealthy remote access trojan and then hides its command server on a public blockchain so defenders cannot easily shut it down. The malware, named TONResolver, gives attackers a foothold on hotel staff computers and opens the door to credential theft and deeper intrusions.
According to Trend Micro researcher Yuya Sato, the operators went after employees of Booking.com partner properties in Japan, blasting out emails that posed as furious guest complaints. One lure claimed a child had been bitten by bedbugs and demanded the hotel review attached "evidence" photos. The goal was simple: panic a front desk worker into opening the attachment.
How the attack works
The emails carried a link to a booby trapped ZIP file. Inside was a Windows shortcut (an LNK file) disguised as a photo. Clicking it ran a hidden PowerShell command that rebuilt a download address from a pair of huge numbers, fetched a follow on script, and quietly installed a copy of Node.js to run the final payload. The malicious server only answered requests that carried a PowerShell user agent string, so a curious analyst opening the link in a browser just saw a 404 error.
What makes TONResolver notable is how it finds its operator. Instead of hard coding a command and control (C&C) address that defenders could block, the trojan reads the current server domain out of a smart contract on The Open Network (TON), the blockchain platform that grew out of Telegram. This "dead drop resolver" trick means that if one C&C server is taken down, the criminals simply write a new address into the contract and infected machines follow it automatically. We have seen the same blockchain hiding playbook before, in malware that stashed its servers on the Ethereum blockchain and in a malware for hire kit that hid on the blockchain to survive takedowns.
What's affected
Trend Micro's telemetry showed the heaviest activity in Japan between mid May and early June 2026, though English language versions of the lure suggest the operators are willing to chase non Japanese targets too. In a twist borrowed from advanced spy groups, some approaches began as a polite, link free inquiry over Gmail; only after the hotel replied and trust was built did a second message arrive carrying the malicious URL. Because the messages were sent through a legitimate scheduling tool's notification feature, standard email checks like SPF, DKIM, and DMARC did not stop them. Japan has been a repeated target for stealthy intrusions lately, including a campaign that used a Microsoft signed driver to disable security software.
Once running, TONResolver sets a registry Run key for persistence, phones home over an encrypted WebSocket channel, and sits in a keepalive loop every 20 seconds waiting for commands. Trend Micro's analysis indicates it can run arbitrary code, fetch and launch files, and execute PowerShell, all building blocks for stealing passwords and spreading deeper into a network.
What you should do
Treat unexpected "guest complaint" emails carrying links or attachments as suspect, especially ZIP files that contain shortcut files. Block or alert on LNK files launching PowerShell, watch for unexplained Node.js installs under the user profile, and flag outbound traffic to tonapi[.]io from ordinary workstations. Trend Micro detects the trojan as TrojanSpy.JS.TONRESOLVER.A. You can read the original report for full technical detail.
Indicators of compromise
- TON contract / account used as a dead drop resolver:
0:c66119f0e5635c4380441d7a79baf0c02a0ab7ea6cd78de06507fc5dc2c1a5d9 - C&C resolver lookup:
hxxps://tonapi[.]io/v2/blockchain/accounts/ - Persistence: HKCU Software Microsoft Windows CurrentVersion Run
This briefing is provided by IntelFusions for informational and defensive purposes only. It is based on sources assessed to be reliable at the time of writing, and analytic judgments carry the confidence levels indicated. Indicators of compromise are defanged; re-arm them only in controlled environments. IntelFusions is not affiliated with the organizations named and makes no warranty as to completeness or accuracy.