Phishing Campaign Targets Japan's Hotels Using TONResolver RAT

In late May 2026, a phishing campaign targeting Japan's hotel industry was identified, utilizing emails that impersonated guest complaints to deliver the TONResolver RAT. The emails, sent to Booking.com partner accommodations, contained malicious links leading to a ZIP file with a disguised shortcut file (LNK) that installed the TrojanSpy.JS.TONRESOLVER.A malware. This malware exploits the TON blockchain as a dead drop resolver, complicating detection and takedown efforts. Japanese hotels were primarily targeted, although other countries were also affected. The attack method bypassed traditional email security measures like SPF, DKIM, and DMARC. The persistent nature of the malware poses ongoing risks for credential theft and further compromises. Trend Micro's TrendAI Research confirmed the attack's details and scope, emphasizing the sophistication of the phishing tactics employed.

Key Points: • Phishing emails targeted Booking.com partners in Japan with guest complaint lures. • The TONResolver RAT uses the TON blockchain for command-and-control evasion. • Traditional email security measures failed to prevent these sophisticated attacks.