TONResolver Malware Hides Its C2 in the TON Blockchain to Hit Hotel Partners
ID: 33e88290-f929-56a9-a8ad-bdb258b0a07f
STIX ID: report--33e88290-f929-56a9-a8ad-bdb258b0a07f
Feed Name: securityonline.info
Trend Micro and Microsoft analyzed a phishing campaign that delivered TONResolver/TonRAT — a Node.js RAT targeting Booking.com partner hotels (mainly in Japan). Attackers used complaint-themed phishing messages that downloaded a ZIP containing a photo-like shortcut which executed a hidden PowerShell chain to install Node.js and run the payload. The malware resolves live C2 domains stored in a TON blockchain smart contract (dead-drop resolver), connects over encrypted WebSockets using ECDH/AES-256, and supports remote JavaScript execution, file fetch/launch, and PowerShell commands; defenders are advised to train staff, restrict PowerShell, monitor Node.js from user profiles, and watch for unusual WebSocket and blockchain API traffic.
Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.
