Listen to this Post
Introduction: When a Guest Complaint Becomes a Cyber Weapon
The hospitality industry thrives on trust. Every guest review, booking confirmation, and customer complaint is part of daily business. Unfortunately, cybercriminals understand this better than anyone. Instead of attacking hotel infrastructure directly, they are now exploiting the very communication channels hotel employees rely on every day.
A newly uncovered cyber campaign demonstrates how sophisticated phishing attacks have evolved beyond fake invoices and generic spam emails. This time, attackers are impersonating Booking.com guest communications, convincing hotel employees to unknowingly install a stealthy malware platform called TONResolver. Even more alarming is the malware’s infrastructure, which relies on blockchain technology instead of traditional command-and-control servers, making it significantly harder for security teams to detect or disable.
The discovery highlights a growing trend where legitimate technologies are being repurposed for malicious operations, forcing defenders to rethink traditional cybersecurity strategies.
Cybercriminals Target Booking.com Hotel Partners Across Multiple Countries
Security researchers at TrendAI Research, Trend
Rather than sending obvious spam, attackers crafted convincing emails pretending to be legitimate guest review requests and customer complaints. The messages encouraged hotel employees to continue the conversation, increasing the likelihood that victims would trust future emails.
The campaign initially focused heavily on Japanese hospitality businesses, although researchers later identified victims across several countries including Austria, Australia, France, Germany, Indonesia, Italy, the Netherlands, Russia, South Korea, Turkey, the United Kingdom, and the United States.
Despite its international reach, Japanese hotels remained the campaign’s primary target.
A Simple ZIP File Opens the Door to Complete System Compromise
The phishing sequence unfolds gradually instead of relying on a single malicious attachment.
Victims first receive what appears to be a legitimate Booking.com notification asking them to respond to a guest review. After establishing credibility, attackers send another email containing a hyperlink.
Clicking the link downloads a ZIP archive.
Inside the archive is what appears to be a harmless photograph. In reality, the file is a disguised Windows shortcut (LNK) that silently launches a PowerShell script.
That PowerShell command installs TrojanSpy.JS.TONRESOLVER.A, commonly referred to as TONResolver, which immediately establishes communication with attacker-controlled infrastructure.
Because the initial payload performs relatively little malicious activity, many security products may initially overlook its behavior.
Blockchain Technology Becomes a New Weapon for Malware Operators
Traditional malware usually contains hardcoded command-and-control servers.
TONResolver takes an entirely different approach.
Instead of embedding server addresses inside the malware, it retrieves updated command information from smart contracts hosted on The Open Network (TON) blockchain.
This technique transforms the blockchain into what security researchers describe as a “dead drop resolver.”
Whenever attackers decide to move their infrastructure to a new server, they simply update information stored within the blockchain.
Victims automatically retrieve the latest destination without requiring attackers to modify or redistribute the malware itself.
This dramatically increases operational flexibility while making infrastructure takedowns considerably more difficult.
Why TONResolver Is Difficult to Detect
The attackers combined multiple advanced evasion techniques into a single malware platform.
TONResolver is packaged as a Node.js application rather than a conventional Windows executable.
The malware also employs virtual machine-based obfuscation, wrapping its internal code inside a protected execution environment.
This defensive layer prevents analysts from easily understanding its behavior through traditional static analysis.
Reverse engineering becomes significantly more complex because researchers must first overcome multiple layers of runtime protection before reaching the malware’s true logic.
These techniques demonstrate a level of sophistication increasingly common among financially motivated cybercriminal groups.
The Initial Infection Is Only the Beginning
Unlike ransomware that immediately encrypts files, TONResolver behaves patiently.
After installation, the malware establishes a persistent connection back to attacker-controlled infrastructure.
This backdoor allows operators to remotely execute commands whenever they choose.
Researchers observed no immediate credential theft during the initial infection stage.
Instead, attackers appear to profile compromised systems by collecting endpoint information, IP addresses, and environmental details.
Victims who appear valuable may later receive additional malware payloads capable of credential theft, espionage, financial fraud, or full network compromise.
This staged attack methodology reduces detection while maximizing operational efficiency.
Email Security Defenses Were Quietly Bypassed
One of the
Instead of spoofing email domains directly, they abused notification features within an online scheduling service.
Because those emails originated from legitimate infrastructure, traditional authentication technologies such as SPF, DKIM, and DMARC viewed them as authentic.
As a result, many security gateways allowed the messages to reach employee inboxes without raising significant suspicion.
This illustrates an increasingly common tactic where attackers exploit trusted cloud services rather than attempting to imitate them.
TrendAI’s Recommended Security Measures
Researchers recommend organizations strengthen defenses beyond conventional email filtering.
Restricting access to blockchain platforms through secure proxy gateways can prevent malware from communicating with TON infrastructure.
Application control policies should monitor unexpected Node.js execution, especially when Node.js launches automatically or operates outside approved directories.
PowerShell outbound communications should be restricted using endpoint firewall policies to prevent unauthorized network connections.
Organizations should also configure web gateways to block outbound HTTP requests generated through PowerShell-specific User-Agent strings.
Combined with employee phishing awareness training, these measures significantly reduce exposure to similar campaigns.
The Growing Abuse of Legitimate Technologies
Cybercriminals increasingly avoid creating entirely new infrastructure.
Instead, they weaponize trusted technologies already used across the internet.
Cloud storage platforms.
Content delivery networks.
Git repositories.
Blockchain networks.
Every legitimate platform provides attackers with additional opportunities to hide malicious activity inside ordinary internet traffic.
The TONResolver campaign demonstrates how decentralized technologies originally designed for resilience and transparency can unintentionally provide resilience for malware operations as well.
Deep Analysis: Understanding TONResolver Through Technical Investigation
Security analysts investigating similar threats should focus on behavioral detection instead of relying solely on malware signatures.
Useful Windows investigation commands include:
Get-Process
Get-Service
Get-ScheduledTask
Get-NetTCPConnection
Get-ChildItem HKCU:\Software\Microsoft\Windows\CurrentVersion\Run
Get-ChildItem HKLM:\Software\Microsoft\Windows\CurrentVersion\Run
Get-WinEvent -LogName Security -MaxEvents 100
Get-ExecutionPolicy
Get-Command node
Get-Process node
tasklist
netstat -ano
ipconfig /all
whoami
systeminfo
Linux analysts examining network activity within enterprise environments may use:
ps aux top htop ss -tulpn netstat -plant lsof -i journalctl -xe systemctl list-units systemctl status crontab -l find / -name node 2>/dev/null find / -name ".js" 2>/dev/null tcpdump -i any iptables -L nft list ruleset curl ifconfig.me dig nslookup traceroute who last uname -a hostnamectl cat /etc/os-release ls -la ~/.config grep -R "node" /etc/systemd/
Behavioral monitoring should prioritize unusual Node.js execution, unexpected PowerShell network activity, newly created autorun entries, outbound blockchain communication, and persistence mechanisms. Network segmentation, endpoint detection and response (EDR), DNS monitoring, and centralized logging can significantly improve detection capabilities. Threat hunters should also monitor unusual smart contract interactions and unexplained outbound connections that do not align with normal business operations.
What Undercode Say:
The TONResolver campaign represents more than another phishing operation. It reflects the next stage in cybercrime evolution.
Attackers are no longer relying on easily blacklisted infrastructure.
Instead, they are adopting decentralized technologies that were never intended to host malware operations.
Blockchain networks offer persistence.
Smart contracts provide dynamic infrastructure updates.
Legitimate cloud services deliver trusted communications.
Each innovation increases attacker resilience.
The hospitality industry remains particularly vulnerable because employees interact with thousands of external users every day.
Guest complaints naturally create urgency.
Urgency reduces skepticism.
The phishing emails are carefully designed to exploit customer service culture.
The delayed attack chain also deserves attention.
Rather than immediately stealing passwords, attackers first establish persistence.
This reduces behavioral indicators.
It also allows attackers to prioritize high-value victims.
Another concerning aspect is the use of Node.js.
Many organizations trust Node.js because it is widely used by developers.
Security teams may not closely monitor its execution.
That assumption creates blind spots.
PowerShell remains another favorite attacker tool.
Although legitimate for administration, it continues to appear in advanced attack chains.
Traditional email security is also facing serious challenges.
SPF.
DKIM.
DMARC.
All remain valuable.
Yet attackers increasingly abuse legitimate services instead of forging identities.
Authentication alone cannot stop social engineering.
Behavioral detection becomes essential.
Employee awareness must evolve alongside technology.
Hotels should regularly simulate phishing campaigns.
Incident response teams should monitor blockchain communication patterns.
Threat intelligence sharing across the hospitality sector should become routine.
Organizations should also inventory every application capable of scripting or remote execution.
Least-privilege principles remain highly effective.
Endpoint visibility is no longer optional.
Modern attacks increasingly combine multiple trusted technologies into a single operation.
Security teams must think like attackers.
Detection should focus on behavior rather than filenames.
Infrastructure resilience now belongs to both defenders and adversaries.
TONResolver demonstrates that
✅ TrendAI Research publicly reported a phishing campaign targeting Booking.com accommodation partners using TONResolver malware during late May 2026, with the detailed report published on June 29.
✅ The malware uses The Open Network (TON) blockchain as a dead drop resolver, allowing operators to dynamically update command-and-control destinations without embedding fixed server addresses inside the malware.
✅ Researchers confirmed that the campaign relied on phishing emails delivering ZIP archives containing disguised LNK shortcut files, which executed PowerShell scripts to install the malware. The report also recommends restricting blockchain access, monitoring Node.js execution, and limiting PowerShell outbound communications as effective defensive measures.
Prediction
(+1) Security vendors will increasingly develop behavioral detection engines capable of identifying malware that abuses blockchain platforms, Node.js runtimes, and decentralized infrastructure, improving enterprise resilience against similar campaigns. 🔒📈
(-1) Threat actors are likely to expand blockchain-based command-and-control techniques beyond the hospitality sector, targeting healthcare, finance, government agencies, and cloud service providers while combining artificial intelligence with increasingly convincing phishing campaigns, making future attacks significantly harder to detect. ⚠️🌐
▶️ Related Video (84% Match):
🕵️📝Let’s dive deep and fact‑check.
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
References:
Reported By: www.infosecurity-magazine.com
Extra Source Hub (Possible Sources for article):
https://www.reddit.com/r/AskReddit
Wikipedia
OpenAi & Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
📢 Follow UndercodeNews & Stay Tuned:
𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon | 📺Youtube
