TONResolver RAT Targets Japan's Hotel Industry via Phishing Emails

In May 2026, a series of phishing emails targeted Japanese accommodation facilities associated with Booking.com, using deceptive subject lines to lure victims. The emails contained a zip file with a shortcut link disguised as a photo file, which initiated the infection of TrojanSpy.JS.TONRESOLVER.A. This malware exploits the TON blockchain as a dead drop resolver, complicating detection and takedown efforts. The attacks primarily affected hotel employees, with a focus on customer complaints to increase credibility. TrendAI telemetry indicated that most accesses originated from Japan, highlighting the localized impact. The malware maintains a persistent connection to await commands, posing ongoing risks of credential theft and further malware deployment. Traditional email authentication methods proved ineffective against these attacks, necessitating enhanced security measures.

Key Points: • Phishing emails targeted Japanese hotels using Booking.com, leveraging customer complaints. • Malware exploits the TON blockchain for command-and-control, complicating detection. • Traditional email authentication methods failed to prevent these sophisticated phishing attempts.