Cybersecurity researchers have identified a malware campaign that leverages the TON blockchain, legitimate software, and trusted Windows components to create a resilient command-and-control (C2) infrastructure capable of evading conventional security measures. The campaign demonstrates how threat actors are increasingly combining blockchain technology with widely used applications to complicate malware detection and disrupt traditional takedown efforts.
The attack uses the TON blockchain as a resilient command-and-control infrastructure, enabling attackers to update malicious instructions without modifying or redistributing malware already installed on compromised systems.
According to researchers, the attack begins with phishing emails disguised as booking-related communications. Recipients are directed to a Google Share link that redirects them to a malicious website, where they are prompted to download a ZIP archive either directly or through a ClickFix-style interface. The downloaded archive contains a malicious Windows shortcut (LNK) file disguised as an image by using an icon from the Windows shell32.dll library.
Once the shortcut file is opened, it silently executes an obfuscated PowerShell command. Instead of storing the download domain in plain text, the attackers encode the address as two large numerical values. The embedded PowerShell script reconstructs the malicious domain by performing arithmetic and bitwise operations, making the infrastructure more difficult for security tools to identify during static analysis.
The PowerShell payload then checks whether the Node.js runtime is already installed on the target device. If it is not present, the malware downloads the legitimate Windows version of Node.js from the project’s official distribution infrastructure and extracts it into the user’s LocalAppData directory. By relying on authentic software components rather than malicious executables alone, the attackers seek to blend their activity with legitimate application behavior and reduce the likelihood of detection.
Obfuscated JavaScript payload increases analysis complexity
After installing or locating Node.js, the malware decrypts a JavaScript payload protected with AES-128-CBC encryption and Base64 encoding. The decrypted code is executed through the legitimate Node.js runtime, with the command-and-control configuration supplied as a runtime argument.
Researchers reported that the JavaScript implant had been heavily obfuscated and executed through a custom virtual machine interpreter rather than standard JavaScript. This technique significantly increases the complexity of malware analysis by preventing traditional signature-based security tools from easily identifying malicious code.
Investigators also identified several historical command-and-control domains associated with the campaign. However, the malware does not depend exclusively on fixed domains for instructions. Instead, operators can modify blockchain-hosted configuration data whenever infrastructure is blocked, allowing infected systems to retrieve updated command-and-control information without requiring the malware itself to be replaced.
By combining trusted Windows components, legitimate Node.js software, PowerShell, and blockchain-hosted command-and-control data, the attackers create a flexible malware framework that is more resistant to conventional security defenses.
The malware is capable of downloading Windows executables, PowerShell scripts, and additional JavaScript payloads. Before executing downloaded Windows programs, it verifies the Portable Executable (PE) file header, stores the file under a randomly generated name in the temporary directory, and may attempt to add the file path to Microsoft Defender’s exclusion list to reduce the chances of detection during execution.
Security recommendations
Researchers advised organizations to remain vigilant against phishing campaigns using travel and booking-related themes, particularly emails containing Google Share links that redirect users to suspicious downloads. They also recommended monitoring ZIP archives containing LNK shortcut files disguised as images, as well as unexpected PowerShell activity and unauthorized Node.js installations on enterprise systems.
The findings highlight a growing trend in which cybercriminals are exploiting blockchain technology and legitimate software ecosystems to build highly resilient malware infrastructure that can withstand domain blocking and traditional takedown efforts.
The campaign underscores the evolving tactics used by cybercriminals as they increasingly integrate decentralized technologies into malware operations, creating additional challenges for defenders attempting to detect, analyze, and disrupt sophisticated cyber threats.







