Cybersecurity researchers have identified a malware campaign that uses the TON blockchain, legitimate software, and trusted Windows components to build a resilient command-and-control infrastructure capable of evading conventional security measures. The attackers combine blockchain technology with widely used applications to complicate malware detection and disrupt traditional takedown efforts. This campaign reflects a growing trend in which cybercriminals exploit decentralized technologies and legitimate software ecosystems to create highly resilient malware infrastructure that can withstand domain blocking and traditional security defenses.
The attack begins with phishing emails disguised as booking-related communications. Recipients are directed to a Google Share link that redirects them to a malicious website, where they are prompted to download a ZIP archive either directly or through a ClickFix-style interface. The downloaded archive contains a malicious Windows shortcut (LNK) file disguised as an image by using an icon from the Windows shell32.dll library.
Once the shortcut file is opened, it silently executes an obfuscated PowerShell command. Instead of storing the download domain in plain text, the attackers encode the address as two large numerical values. The embedded PowerShell script reconstructs the malicious domain by performing arithmetic and bitwise operations, making the infrastructure more difficult for security tools to identify during static analysis.
The PowerShell payload then checks whether the Node.js runtime is already installed on the target device. If it is not present, the malware downloads the legitimate Windows version of Node.js from the project's official distribution infrastructure and extracts it into the user's LocalAppData directory. By relying on authentic software components rather than malicious executables alone, the attackers seek to blend their activity with legitimate application behavior and reduce the likelihood of detection.
After installing or locating Node.js, the malware decrypts a JavaScript payload protected with AES-128-CBC encryption and Base64 encoding. The decrypted code is executed through the legitimate Node.js runtime, with the command-and-control configuration supplied as a runtime argument.
Researchers reported that the JavaScript implant had been heavily obfuscated and executed through a custom virtual machine interpreter rather than standard JavaScript. This technique significantly increases the complexity of malware analysis by preventing traditional signature-based security tools from easily identifying malicious code.
The attack uses the TON blockchain as a resilient command-and-control infrastructure, enabling attackers to update malicious instructions without modifying or redistributing malware already installed on compromised systems. Investigators identified several historical command-and-control domains associated with the campaign. However, the malware does not depend exclusively on fixed domains for instructions. Instead, operators can modify blockchain-hosted configuration data whenever infrastructure is blocked, allowing infected systems to retrieve updated command-and-control information without requiring the malware itself to be replaced.
The malware is capable of downloading Windows executables, PowerShell scripts, and additional JavaScript payloads. Before executing downloaded Windows programs, it verifies the Portable Executable (PE) file header, stores the file under a randomly generated name in the temporary directory, and may attempt to add the file path to Microsoft Defender's exclusion list to reduce the chances of detection during execution.
Researchers advised organizations to remain vigilant against phishing campaigns using travel and booking-related themes, particularly emails containing Google Share links that redirect users to suspicious downloads. They also recommended monitoring ZIP archives containing LNK shortcut files disguised as images, as well as unexpected PowerShell activity and unauthorized Node.js installations on enterprise systems.
What is the TON blockchain used for in this malware campaign?
The TON blockchain is used as a resilient command-and-control infrastructure that enables attackers to update malicious instructions without modifying or redistributing malware already installed on compromised systems. Operators can modify blockchain-hosted configuration data whenever infrastructure is blocked, allowing infected systems to retrieve updated command-and-control information.
How does the malware disguise itself as legitimate software?
The malware downloads the legitimate Windows version of Node.js from the project's official distribution infrastructure and executes encrypted JavaScript payloads through the authentic Node.js runtime. By relying on trusted software components and Windows utilities, the attackers blend their activity with legitimate application behavior to reduce the likelihood of detection by security tools.
Related News
NEC Partners Ava Labs on Blockchain Facial ID Platform for Japan Visitors
Tel Aviv University uncovers HalluSquatting attack, where AI hallucinations can be exploited to build botnets.
Oceanus Chain Launches DeFi and AI Ecosystem with OCS Token Presale
Crypto Firms Develop Quantum-Resistant Plans as Google Warns of 2029 Threat
Ethereum Smart Contracts Power Magecart Skimming Campaign