Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Watchlists Beta Browse News Feed Stats About Contact

TonRAT Node.js implant with TON blockchain C2

Malware Activity
First reported
Last updated
Happening score
H score 24
1 unique sources, 1 articles

Summary

Hide ▲

TonRAT is using a Node.js implant to hide command-and-control lookups behind the TON blockchain API, increasing the chance that blocking and detection will fail. The activity is tied to hospitality hosts and includes encrypted WebSocket communications, which strengthens persistence and operator control on compromised systems. The delivery chain also uses photo-themed ZIP files and a LNK-to-PowerShell sequence, making the malware harder to spot during initial access.

Related Happenings

Hotel and hospitality photo-ZIP phishing campaign

Campaign
H score40 First: 26.06.2026 12:27 Last: 26.06.2026 12:27 Sources 1

How related: An active phishing campaign has been targeting hotel and other hospitality organizations across Europe and Asia since April 2026, using photo-themed ZIP files to drop a Node.js implant and dig into front-desk machines, Microsoft says.

About this happening: An **active phishing campaign** is targeting **hotel and hospitality organizations** across **Europe and Asia**, increasing the risk of **front-desk machine compromise** and durab...

Open Happening

Windows cryptocurrency clipper malware using USB LNK worming and Tor C2

Malware Activity
H score29 First: 18.06.2026 17:30 Last: 18.06.2026 17:30 Sources 1

About this happening: A **Windows-based cryptocurrency clipper** has been active since **February 2026**, using **USB-delivered LNK** worming to steal wallet data and reroute payments. The malware adds...

Open Happening

SHub Reaper macOS infostealer variant

Malware Activity
H score23 First: 19.05.2026 00:42 Last: 19.05.2026 00:42 Sources 1

About this happening: The **SHub Reaper** macOS infostealer now uses **AppleScript** and a fake **Apple security update** lure to infect Macs, raising the risk of credential theft and remote access. It...

Open Happening

Infinity Stealer macOS infostealer activity

Malware Activity
H score29 First: 28.03.2026 16:35 Last: 28.03.2026 16:35 Sources 1

About this happening: **Infinity Stealer** is a **macOS infostealer** being delivered through a **ClickFix** lure and is able to steal high-value credentials and secrets. The payload is compiled with *...

Open Happening

GlassWorm supply-chain malware wave across GitHub, npm, and VSCode/OpenVSX

Malware Activity
H score35 First: 17.03.2026 23:42 Last: 17.03.2026 23:42 Sources 1

About this happening: **GlassWorm** returned in a **new coordinated supply-chain attack** that compromised **433 components** across **GitHub, npm, and VSCode/OpenVSX**, creating a broad software-distr...

Latest development: 28.04.2026 00:41

GlassWorm returned in an OpenVSX supply-chain wave with 73 cloned sleeper extensions that were benign at upload and later turned malicious after an update, with six already activated to deliver malware. The extensions act as thin loaders that fetch payloads through GitHub-hosted secondary VSIX packages, platform-specific .node modules, or heavily obfuscated JavaScript, shifting the campaign toward submitting innocuous extensions first and introducing the malicious payload later.

Open Happening

Timeline

  1. 26.06.2026 12:27 2 articles · 2h ago

    Microsoft warns of photo ZIP phishing campaign targeting hotel organizations

    Initial Disclosure

    Microsoft warned that an active phishing campaign has targeted hotel and other hospitality organizations across Europe and Asia since April 2026, using photo-themed ZIP files, a LNK-to-PowerShell chain, and a bundled Node.js v24.13.0 runtime to run the TonRAT implant; Microsoft said the activity is not attributed and no confirmed data theft, ransomware, or named victims have been reported.

    Show sources
    Open in new tab