Cyber Threat Actors Target Booking.com Partner Accommodations in Japan with Advanced Phishing Campaign
Cyber threat actors have recently intensified their efforts by targeting employees at partner accommodations of Booking.com in Japan. The attackers employ sophisticated phishing emails that masquerade as guest complaints and requests for reviews, aiming to deceive hotel staff into executing harmful files. This alarming development underscores the evolving nature of cyber threats facing the hospitality industry.
The phishing campaign, which was identified by TrendAI Research, a division of Trend Micro, was detected in late May 2026. The campaign primarily focuses on emailing Japanese partner companies of Booking.com, utilizing a subject line that translates to “Important: Guest Stay Review Request” in Japanese. The emails are strategically crafted to engage the recipients in conversation, increasing the likelihood of a successful phishing attempt.
Upon further examination, it was revealed that follow-up emails from the threat actor contained hyperlinks leading to suspicious websites. These links not only directed users to potentially harmful sites but also initiated the download of a ZIP file loaded with dangerous content. Within this ZIP file lay a shortcut link file, disguised as a photo, which executed a PowerShell script, installing the malware known as TrojanSpy.JS.TONRESOLVER.A—commonly referred to as TONResolver.
This particular malware implant functions as a remote access trojan (RAT), allowing attackers to establish an initial foothold within the compromised systems. Researchers from TrendAI noted that the campaign extended beyond Japan, with similar malicious emails dispatched to Booking.com partners located in various countries such as Austria, Australia, France, Germany, Indonesia, Italy, the Netherlands, Russia, South Korea, Turkey, the UK, and the US. However, Japanese hospitality organizations appear to have been the primary targets.
A notable aspect of this attack is the method employed to avoid conventional email security measures. The phishing emails utilized the notification features of a scheduling tool service, enabling them to bypass standard security protocols based on authentication technologies like Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and Domain-based Message Authentication, Reporting, and Conformance (DMARC). This represents a significant shift in tactics, allowing attackers to breach defenses that would normally safeguard against such threats.
The Malware Infrastructure Leveraging TON Blockchain
The malware associated with this phishing campaign, TONResolver, distinguishes itself by utilizing the TON blockchain platform as a dead drop resolver. Unlike typical phishing malicious software, this malware enables attackers to alter their command-and-control (C2) server destination without having to hardcode this information into the malware, complicating detection and takedown efforts.
Initially developed by Telegram as the Telegram Open Network, the TON blockchain is currently overseen by the TON Foundation. Attackers cleverly packaged the malware as a Node.js application, applying techniques such as virtual machine-based obfuscation. This method conceals the code within a protected execution environment, making it difficult for security researchers to analyze the logic through static examination alone.
While the execution of the LNK file and the running of TONResolver through Node.js do not result in immediate credential theft or significant file alteration, the malware successfully establishes a persistent "keepalive" connection with the attacker’s server. This backdoor functionality allows for additional command execution and the deployment of subsequent payloads, indicating that victims may be selectively targeted for further attacks based on their endpoint specifics and IP address details.
The researchers at TrendAI have noted that the attackers are continuously updating their operations, with new domain registrations and shifts in C2 servers demonstrating their active monitoring of attack trends and success rates.
Mitigation Measures Recommended by TrendAI
In response to the increasing threats posed by such sophisticated phishing campaigns, TrendAI has recommended a series of precautionary measures aimed at bolstering defenses. These mitigation strategies include:
-
Restricting Access to Blockchain Platforms: Organizations are encouraged to deploy proxy gateways on internet-facing endpoints and enforce connection filtering to block access to blockchain platforms like the TON network.
-
Monitoring and Restricting Node.js Execution: Implementing application control policies to scrutinize and restrict suspicious uses of Node.js is vital. This is particularly important in cases where it creates autorun entries or executes from unexpected locations.
-
Blocking Unauthorized PowerShell Network Communications: Utilizing endpoint firewall capabilities can help restrict outbound communications initiated by PowerShell to external IP addresses, further ensuring network security.
- Filtering PowerShell-based Web Requests: Configuring web gateway or internet access policies to block outbound HTTP requests that contain PowerShell-based User-Agent strings is another effective measure to enhance cybersecurity.
This cyber campaign against Booking.com partners serves as a stark reminder of the persistent and evolving challenges that the hospitality sector faces in safeguarding its operations against increasingly elaborate cyber threats. Organizations must remain vigilant and proactive in adopting robust security measures to protect their systems and sensitive data.

