TONResolver RAT Abuses TON Blockchain to Target Japan's Hotel Industry

    Tuesday, June 30, 2026 In: Threat Research Print

    Date: 06/30/2026

    Severity: Medium

    Summary

    Attackers are targeting Booking.com partner hotels in Japan using phishing emails. Phishing lures impersonate guest complaints and review requests to trick staff. Delivery methods include bulk phishing and interactive, trust-building Gmail chats. Victims are tricked into executing a malicious file containing "TONResolver" malware. TONResolver provides initial access, command execution, and enables credential theft. The malware uses TON smart contracts to dynamically swap blocked C&C server domains.

    Indicators of Compromise (IOC) List

    Domains/URLs

    photo-2773041.cfd

    photo-1773041.cfd

    photo-4773041.cfd

    photo-3773041.cfd

    photo-1777041.cfd

    photo-2777041.cfd

    photo-3777041.cfd

    photo-4777041.cfd

    photo-1642054.cfd

    photo-11642054.cfd

    photo-21642054.cfd

    photo-31642054.cfd

    photo-41642054.cfd

    photo-5142054.cfd

    photo-5242054.cfd

    photo-5342054.cfd

    photo-5442054.cfd

    photo-5542054.cfd

    photo-5642054.cfd

    photo-1643254.cfd

    photo-1642254.cfd

    photo-1613954.cfd

    photo-1623954.cfd

    photo-1633954.cfd

    photo-1633254.cfd

    photo-1633154.cfd

    photo-2633254.cfd

    photo-2623254.cfd

    photo-2613254.cfd

    photo-2632254.cfd

    photo-2631254.cfd

    photo-2632454.cfd

    photo-1632454.cfd

    photo-3632454.cfd

    photo-6632454.cfd

    photo-4632454.cfd

    photo-7632454.cfd

    photo-8632454.cfd

    photo-332454.cfd

    photo-132454.cfd

    photo-432454.cfd

    photo-232454.cfd

    photo-532454.cfd

    photo-22454.cfd

    photo-52454.cfd

    photo-32454.cfd

    photo-62454.cfd

    photo-12454.cfd

    photo-23454.cfd

    photo-24454.cfd

    photo-21454.cfd

    photo-26454.cfd

    photo-26554.cfd

    photo-26254.cfd

    photo-26654.cfd

    photo-26154.cfd

    photo-26652.cfd

    photo-26653.cfd

    photo-26656.cfd

    photo-26657.cfd

    photo-27657.cfd

    photo-27757.cfd

    photo-dekor.xyz

    photo-22425.xyz

    photo-12425.xyz

    photo-32425.xyz

    photo-225.xyz

    photo-125.xyz

    photo-4425.xyz

    photo-1425.xyz

    photo-33425.xyz

    photo-2425.xyz

    photo-24625.xyz

    photo-14625.xyz

    photo-34625.xyz

    photo-54625.xyz

    photo-51473.xyz

    photo-31473.xyz

    photo-41473.xyz

    photo-21473.xyz

    photo-4512473.xyz

    photo-1512473.xyz

    photo-5512473.xyz

    photo-2512473.xyz

    widjssij728dj.com

    kdslkdkdf932dsf.com

    sdlaksdfk391sla.com

    ajdoqwkd932sak.com

    bsaakdk293sgh.com

    airekcjk832kds.com

    bjsdaklska283saik.com

    hagfids922sa.com

    hafksoawi925ds.com

    havasssj291sld.com

    haddjskak827sja.com

    haskakwo291sa.com

    hakdsiwqs281ks.com

    jsdakksd283ksl.com

    dsjkaksfks324das.com

    photoguestadm.pro

    bookphotogrou.pro

    photbookguest.pro

    guestphotobook.pro

    photoguestbook.pro

    bookfrophoto.pro

    photoforbook.pro

    admbooked.pro

    bookedadmpanel.pro

    photoguesthis.pro

    guestphotohot.pro

    photochanelbook.pro

    bookphotohot.pro

    bookphotoreserv.pro

    photobook-reserv.pro

    bookreservphoto.pro

    reservebookphot.pro

    bokphotofromguest.pro

    guestphotob.pro

    bookaboutphoto.pro

    aboutbookphoto.pro

    https://tonapi.io/v2/blockchain/accounts/0:c66119f0e5635c4380441d7a79baf0c02a0ab7ea6cd78de06507fc5dc2c1a5d9/methods/get_domain

    wss://zloapobikahy23.bond

    wss://tonajukbhuakpo2.shop

    Hash 

    5ec231d3d07530dd4e72127aeed10482d53a9fa6162624b9244ecd7418b73d4c

    9a75e798a71c2541f17102128f7c546288bbd3eb30b6b2b4948b17e73873a510

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 :

    domainname like "guestphotob.pro" or url like "guestphotob.pro" or siteurl like "guestphotob.pro" or domainname like "photo-5542054.cfd" or url like "photo-5542054.cfd" or siteurl like "photo-5542054.cfd" or domainname like "photobook-reserv.pro" or url like "photobook-reserv.pro" or siteurl like "photobook-reserv.pro" or domainname like "bookreservphoto.pro" or url like "bookreservphoto.pro" or siteurl like "bookreservphoto.pro" or domainname like "photo-4425.xyz" or url like "photo-4425.xyz" or siteurl like "photo-4425.xyz" or domainname like "photo-1632454.cfd" or url like "photo-1632454.cfd" or siteurl like "photo-1632454.cfd" or domainname like "photo-232454.cfd" or url like "photo-232454.cfd" or siteurl like "photo-232454.cfd" or domainname like "photo-26454.cfd" or url like "photo-26454.cfd" or siteurl like "photo-26454.cfd" or domainname like "photo-2633254.cfd" or url like "photo-2633254.cfd" or siteurl like "photo-2633254.cfd" or domainname like "bookfrophoto.pro" or url like "bookfrophoto.pro" or siteurl like "bookfrophoto.pro" or domainname like "photo-332454.cfd" or url like "photo-332454.cfd" or siteurl like "photo-332454.cfd" or domainname like "photo-51473.xyz" or url like "photo-51473.xyz" or siteurl like "photo-51473.xyz" or domainname like "dsjkaksfks324das.com" or url like "dsjkaksfks324das.com" or siteurl like "dsjkaksfks324das.com" or domainname like "widjssij728dj.com" or url like "widjssij728dj.com" or siteurl like "widjssij728dj.com" or domainname like "photoguestbook.pro" or url like "photoguestbook.pro" or siteurl like "photoguestbook.pro" or domainname like "photo-1425.xyz" or url like "photo-1425.xyz" or siteurl like "photo-1425.xyz" or domainname like "photo-41473.xyz" or url like "photo-41473.xyz" or siteurl like "photo-41473.xyz" or domainname like "photo-32425.xyz" or url like "photo-32425.xyz" or siteurl like "photo-32425.xyz" or domainname like "bjsdaklska283saik.com" or url like "bjsdaklska283saik.com" or siteurl like "bjsdaklska283saik.com" or domainname like "hafksoawi925ds.com" or url like "hafksoawi925ds.com" or siteurl like "hafksoawi925ds.com" or domainname like "haddjskak827sja.com" or url like "haddjskak827sja.com" or siteurl like "haddjskak827sja.com" or domainname like "photochanelbook.pro" or url like "photochanelbook.pro" or siteurl like "photochanelbook.pro" or domainname like "photo-225.xyz" or url like "photo-225.xyz" or siteurl like "photo-225.xyz" or domainname like "photo-2632254.cfd" or url like "photo-2632254.cfd" or siteurl like "photo-2632254.cfd" or domainname like "photo-24625.xyz" or url like "photo-24625.xyz" or siteurl like "photo-24625.xyz" or domainname like "bookphotoreserv.pro" or url like "bookphotoreserv.pro" or siteurl like "bookphotoreserv.pro" or domainname like "photo-21473.xyz" or url like "photo-21473.xyz" or siteurl like "photo-21473.xyz" or domainname like "photo-26554.cfd" or url like "photo-26554.cfd" or siteurl like "photo-26554.cfd" or domainname like "photo-3777041.cfd" or url like "photo-3777041.cfd" or siteurl like "photo-3777041.cfd" or domainname like "photo-26652.cfd" or url like "photo-26652.cfd" or siteurl like "photo-26652.cfd" or domainname like "photo-1512473.xyz" or url like "photo-1512473.xyz" or siteurl like "photo-1512473.xyz" or domainname like "photo-26154.cfd" or url like "photo-26154.cfd" or siteurl like "photo-26154.cfd" or domainname like "photo-11642054.cfd" or url like "photo-11642054.cfd" or siteurl like "photo-11642054.cfd" or domainname like "photo-5442054.cfd" or url like "photo-5442054.cfd" or siteurl like "photo-5442054.cfd" or domainname like "photo-1633254.cfd" or url like "photo-1633254.cfd" or siteurl like "photo-1633254.cfd" or domainname like "photo-41642054.cfd" or url like "photo-41642054.cfd" or siteurl like "photo-41642054.cfd" or domainname like "photo-5142054.cfd" or url like "photo-5142054.cfd" or siteurl like "photo-5142054.cfd" or domainname like "photo-1633954.cfd" or url like "photo-1633954.cfd" or siteurl like "photo-1633954.cfd"

    Detection Query 2 :

    domainname like "admbooked.pro" or url like "admbooked.pro" or siteurl like "admbooked.pro" or domainname like "photo-5342054.cfd" or url like "photo-5342054.cfd" or siteurl like "photo-5342054.cfd" or domainname like "photo-2425.xyz" or url like "photo-2425.xyz" or siteurl like "photo-2425.xyz" or domainname like "photo-26656.cfd" or url like "photo-26656.cfd" or siteurl like "photo-26656.cfd" or domainname like "photo-1777041.cfd" or url like "photo-1777041.cfd" or siteurl like "photo-1777041.cfd" or domainname like "photoguestadm.pro" or url like "photoguestadm.pro" or siteurl like "photoguestadm.pro" or domainname like "photo-26653.cfd" or url like "photo-26653.cfd" or siteurl like "photo-26653.cfd" or domainname like "photo-1623954.cfd" or url like "photo-1623954.cfd" or siteurl like "photo-1623954.cfd" or domainname like "sdlaksdfk391sla.com" or url like "sdlaksdfk391sla.com" or siteurl like "sdlaksdfk391sla.com" or domainname like "ajdoqwkd932sak.com" or url like "ajdoqwkd932sak.com" or siteurl like "ajdoqwkd932sak.com" or domainname like "photo-4777041.cfd" or url like "photo-4777041.cfd" or siteurl like "photo-4777041.cfd" or domainname like "photo-26254.cfd" or url like "photo-26254.cfd" or siteurl like "photo-26254.cfd" or domainname like "photo-dekor.xyz" or url like "photo-dekor.xyz" or siteurl like "photo-dekor.xyz" or domainname like "photo-31642054.cfd" or url like "photo-31642054.cfd" or siteurl like "photo-31642054.cfd" or domainname like "reservebookphot.pro" or url like "reservebookphot.pro" or siteurl like "reservebookphot.pro" or domainname like "photo-1773041.cfd" or url like "photo-1773041.cfd" or siteurl like "photo-1773041.cfd" or domainname like "bsaakdk293sgh.com" or url like "bsaakdk293sgh.com" or siteurl like "bsaakdk293sgh.com" or domainname like "photo-34625.xyz" or url like "photo-34625.xyz" or siteurl like "photo-34625.xyz" or domainname like "guestphotobook.pro" or url like "guestphotobook.pro" or siteurl like "guestphotobook.pro" or domainname like "photo-2623254.cfd" or url like "photo-2623254.cfd" or siteurl like "photo-2623254.cfd" or domainname like "photo-8632454.cfd" or url like "photo-8632454.cfd" or siteurl like "photo-8632454.cfd" or domainname like "photo-4632454.cfd" or url like "photo-4632454.cfd" or siteurl like "photo-4632454.cfd" or domainname like "photo-24454.cfd" or url like "photo-24454.cfd" or siteurl like "photo-24454.cfd" or domainname like "photo-31473.xyz" or url like "photo-31473.xyz" or siteurl like "photo-31473.xyz" or domainname like "photo-26654.cfd" or url like "photo-26654.cfd" or siteurl like "photo-26654.cfd" or domainname like "photo-5242054.cfd" or url like "photo-5242054.cfd" or siteurl like "photo-5242054.cfd" or domainname like "haskakwo291sa.com" or url like "haskakwo291sa.com" or siteurl like "haskakwo291sa.com" or domainname like "aboutbookphoto.pro" or url like "aboutbookphoto.pro" or siteurl like "aboutbookphoto.pro" or domainname like "photo-1613954.cfd" or url like "photo-1613954.cfd" or siteurl like "photo-1613954.cfd" or domainname like "photo-2613254.cfd" or url like "photo-2613254.cfd" or siteurl like "photo-2613254.cfd" or domainname like "photo-2777041.cfd" or url like "photo-2777041.cfd" or siteurl like "photo-2777041.cfd" or domainname like "kdslkdkdf932dsf.com" or url like "kdslkdkdf932dsf.com" or siteurl like "kdslkdkdf932dsf.com" or domainname like "photo-5512473.xyz" or url like "photo-5512473.xyz" or siteurl like "photo-5512473.xyz" or domainname like "bookphotogrou.pro" or url like "bookphotogrou.pro" or siteurl like "bookphotogrou.pro" or domainname like "photo-532454.cfd" or url like "photo-532454.cfd" or siteurl like "photo-532454.cfd" or domainname like "photoguesthis.pro" or url like "photoguesthis.pro" or siteurl like "photoguesthis.pro" or domainname like "photo-22454.cfd" or url like "photo-22454.cfd" or siteurl like "photo-22454.cfd" or domainname like "photo-62454.cfd" or url like "photo-62454.cfd" or siteurl like "photo-62454.cfd" or domainname like "bookphotohot.pro" or url like "bookphotohot.pro" or siteurl like "bookphotohot.pro" or domainname like "photo-32454.cfd" or url like "photo-32454.cfd" or siteurl like "photo-32454.cfd" or domainname like "photoforbook.pro" or url like "photoforbook.pro" or siteurl like "photoforbook.pro" or domainname like "photo-2631254.cfd" or url like "photo-2631254.cfd" or siteurl like "photo-2631254.cfd" or domainname like "photo-21454.cfd" or url like "photo-21454.cfd" or siteurl like "photo-21454.cfd" or domainname like "photo-125.xyz" or url like "photo-125.xyz" or siteurl like "photo-125.xyz" or domainname like "photo-1642254.cfd" or url like "photo-1642254.cfd" or siteurl like "photo-1642254.cfd" or domainname like "havasssj291sld.com" or url like "havasssj291sld.com" or siteurl like "havasssj291sld.com" or domainname like "photo-7632454.cfd" or url like "photo-7632454.cfd" or siteurl like "photo-7632454.cfd" or domainname like "photo-1633154.cfd" or url like "photo-1633154.cfd" or siteurl like "photo-1633154.cfd" or domainname like "photo-132454.cfd" or url like "photo-132454.cfd" or siteurl like "photo-132454.cfd" or domainname like "photo-2773041.cfd" or url like "photo-2773041.cfd" or siteurl like "photo-2773041.cfd" or domainname like "guestphotohot.pro" or url like "guestphotohot.pro" or siteurl like "guestphotohot.pro" or domainname like "photo-26657.cfd" or url like "photo-26657.cfd" or siteurl like "photo-26657.cfd" or domainname like "photo-1642054.cfd" or url like "photo-1642054.cfd" or siteurl like "photo-1642054.cfd" or domainname like "photbookguest.pro" or url like "photbookguest.pro" or siteurl like "photbookguest.pro" or domainname like "bookedadmpanel.pro" or url like "bookedadmpanel.pro" or siteurl like "bookedadmpanel.pro" or domainname like "photo-52454.cfd" or url like "photo-52454.cfd" or siteurl like "photo-52454.cfd" or domainname like "photo-5642054.cfd" or url like "photo-5642054.cfd" or siteurl like "photo-5642054.cfd" or domainname like "photo-33425.xyz" or url like "photo-33425.xyz" or siteurl like "photo-33425.xyz" or domainname like "photo-14625.xyz" or url like "photo-14625.xyz" or siteurl like "photo-14625.xyz" or domainname like "bookaboutphoto.pro" or url like "bookaboutphoto.pro" or siteurl like "bookaboutphoto.pro" or domainname like "photo-3773041.cfd" or url like "photo-3773041.cfd" or siteurl like "photo-3773041.cfd" or domainname like "https://tonapi.io/v2/blockchain/accounts/0:c66119f0e5635c4380441d7a79baf0c02a0ab7ea6cd78de06507fc5dc2c1a5d9/methods/get_domain" or url like "https://tonapi.io/v2/blockchain/accounts/0:c66119f0e5635c4380441d7a79baf0c02a0ab7ea6cd78de06507fc5dc2c1a5d9/methods/get_domain" or siteurl like "https://tonapi.io/v2/blockchain/accounts/0:c66119f0e5635c4380441d7a79baf0c02a0ab7ea6cd78de06507fc5dc2c1a5d9/methods/get_domain" or domainname like "photo-6632454.cfd" or url like "photo-6632454.cfd" or siteurl like "photo-6632454.cfd" or domainname like "photo-12425.xyz" or url like "photo-12425.xyz" or siteurl like "photo-12425.xyz" or domainname like "photo-27657.cfd" or url like "photo-27657.cfd" or siteurl like "photo-27657.cfd" or domainname like "bokphotofromguest.pro" or url like "bokphotofromguest.pro" or siteurl like "bokphotofromguest.pro" or domainname like "photo-1643254.cfd" or url like "photo-1643254.cfd" or siteurl like "photo-1643254.cfd" or domainname like "photo-54625.xyz" or url like "photo-54625.xyz" or siteurl like "photo-54625.xyz" or domainname like "photo-2632454.cfd" or url like "photo-2632454.cfd" or siteurl like "photo-2632454.cfd" or domainname like "photo-27757.cfd" or url like "photo-27757.cfd" or siteurl like "photo-27757.cfd" or domainname like "photo-3632454.cfd" or url like "photo-3632454.cfd" or siteurl like "photo-3632454.cfd" or domainname like "hagfids922sa.com" or url like "hagfids922sa.com" or siteurl like "hagfids922sa.com" or domainname like "photo-2512473.xyz" or url like "photo-2512473.xyz" or siteurl like "photo-2512473.xyz" or domainname like "photo-21642054.cfd" or url like "photo-21642054.cfd" or siteurl like "photo-21642054.cfd" or domainname like "photo-22425.xyz" or url like "photo-22425.xyz" or siteurl like "photo-22425.xyz" or domainname like "photo-23454.cfd" or url like "photo-23454.cfd" or siteurl like "photo-23454.cfd" or domainname like "photo-12454.cfd" or url like "photo-12454.cfd" or siteurl like "photo-12454.cfd" or domainname like "airekcjk832kds.com" or url like "airekcjk832kds.com" or siteurl like "airekcjk832kds.com" or domainname like "photo-4512473.xyz" or url like "photo-4512473.xyz" or siteurl like "photo-4512473.xyz" or domainname like "photo-4773041.cfd" or url like "photo-4773041.cfd" or siteurl like "photo-4773041.cfd" or domainname like "hakdsiwqs281ks.com" or url like "hakdsiwqs281ks.com" or siteurl like "hakdsiwqs281ks.com" or domainname like "jsdakksd283ksl.com" or url like "jsdakksd283ksl.com" or siteurl like "jsdakksd283ksl.com" or domainname like "photo-432454.cfd" or url like "photo-432454.cfd" or siteurl like "photo-432454.cfd" or domainname like "wss://zloapobikahy23.bond" or url like "wss://zloapobikahy23.bond" or siteurl like "wss://zloapobikahy23.bond" or domainname like "wss://tonajukbhuakpo2.shop" or url like "wss://tonajukbhuakpo2.shop" or siteurl like "wss://tonajukbhuakpo2.shop"

    Detection Query 3 : 

    sha256hash IN ("9a75e798a71c2541f17102128f7c546288bbd3eb30b6b2b4948b17e73873a510","5ec231d3d07530dd4e72127aeed10482d53a9fa6162624b9244ecd7418b73d4c")

    Reference:    

    https://www.trendmicro.com/en_us/research/26/f/tonresolver.html  


    Tags

    MalwareRATJapanPhishingCredential HarvestingBlockchainFood and Agriculture

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2026 by Gurucul - All rights reserved.