Advertise
CoinTrust
BTC
ETH
BCH
SOL
DOGE
SHIB
  • News
  • Bitcoin
  • Ethereum
  • Altcoin
  • Market Cap
  • Learn
    • Buying Crypto
    • Crypto Mining
    • Crypto Exchanges
    • Knowledge
  • Crypto Casinos
    • Bitcoin Casinos
    • New Crypto Casinos
    • No KYC Crypto Casinos
    • Anonymous Crypto Casinos
    • VPN Friendly Crypto Casinos
    • Bitcoin Poker
    • Crypto Poker
    • Bitcoin Bingo
    • USDT Casinos
    • Offshore Online Casinos
    • Bitcoin Betting Sites
    • Crypto Sports Betting
    • Reddit’s Best Bitcoin and Crypto Casinos
No Result
View All Result
CoinTrust
  • News
  • Bitcoin
  • Ethereum
  • Altcoin
  • Market Cap
  • Learn
    • Buying Crypto
    • Crypto Mining
    • Crypto Exchanges
    • Knowledge
  • Crypto Casinos
    • Bitcoin Casinos
    • New Crypto Casinos
    • No KYC Crypto Casinos
    • Anonymous Crypto Casinos
    • VPN Friendly Crypto Casinos
    • Bitcoin Poker
    • Crypto Poker
    • Bitcoin Bingo
    • USDT Casinos
    • Offshore Online Casinos
    • Bitcoin Betting Sites
    • Crypto Sports Betting
    • Reddit’s Best Bitcoin and Crypto Casinos
No Result
View All Result
CoinTrust
No Result
View All Result

Home » Hackers Use TON Blockchain to Evade Malware Detection

Hackers Use TON Blockchain to Evade Malware Detection

Researchers uncover blockchain-powered command-and-control campaign

Kelly Cromley by Kelly Cromley
Jul 10, 2026
in Market News, News
Reading Time: 3 mins read
0
The Open Network (TON)

Cybersecurity researchers have identified a malware campaign that leverages the TON blockchain, legitimate software, and trusted Windows components to create a resilient command-and-control (C2) infrastructure capable of evading conventional security measures. The campaign demonstrates how threat actors are increasingly combining blockchain technology with widely used applications to complicate malware detection and disrupt traditional takedown efforts.

The attack uses the TON blockchain as a resilient command-and-control infrastructure, enabling attackers to update malicious instructions without modifying or redistributing malware already installed on compromised systems.

According to researchers, the attack begins with phishing emails disguised as booking-related communications. Recipients are directed to a Google Share link that redirects them to a malicious website, where they are prompted to download a ZIP archive either directly or through a ClickFix-style interface. The downloaded archive contains a malicious Windows shortcut (LNK) file disguised as an image by using an icon from the Windows shell32.dll library.

Once the shortcut file is opened, it silently executes an obfuscated PowerShell command. Instead of storing the download domain in plain text, the attackers encode the address as two large numerical values. The embedded PowerShell script reconstructs the malicious domain by performing arithmetic and bitwise operations, making the infrastructure more difficult for security tools to identify during static analysis.

The PowerShell payload then checks whether the Node.js runtime is already installed on the target device. If it is not present, the malware downloads the legitimate Windows version of Node.js from the project’s official distribution infrastructure and extracts it into the user’s LocalAppData directory. By relying on authentic software components rather than malicious executables alone, the attackers seek to blend their activity with legitimate application behavior and reduce the likelihood of detection.

Obfuscated JavaScript payload increases analysis complexity

After installing or locating Node.js, the malware decrypts a JavaScript payload protected with AES-128-CBC encryption and Base64 encoding. The decrypted code is executed through the legitimate Node.js runtime, with the command-and-control configuration supplied as a runtime argument.

Researchers reported that the JavaScript implant had been heavily obfuscated and executed through a custom virtual machine interpreter rather than standard JavaScript. This technique significantly increases the complexity of malware analysis by preventing traditional signature-based security tools from easily identifying malicious code.

Investigators also identified several historical command-and-control domains associated with the campaign. However, the malware does not depend exclusively on fixed domains for instructions. Instead, operators can modify blockchain-hosted configuration data whenever infrastructure is blocked, allowing infected systems to retrieve updated command-and-control information without requiring the malware itself to be replaced.

By combining trusted Windows components, legitimate Node.js software, PowerShell, and blockchain-hosted command-and-control data, the attackers create a flexible malware framework that is more resistant to conventional security defenses.

The malware is capable of downloading Windows executables, PowerShell scripts, and additional JavaScript payloads. Before executing downloaded Windows programs, it verifies the Portable Executable (PE) file header, stores the file under a randomly generated name in the temporary directory, and may attempt to add the file path to Microsoft Defender’s exclusion list to reduce the chances of detection during execution.

Security recommendations

Researchers advised organizations to remain vigilant against phishing campaigns using travel and booking-related themes, particularly emails containing Google Share links that redirect users to suspicious downloads. They also recommended monitoring ZIP archives containing LNK shortcut files disguised as images, as well as unexpected PowerShell activity and unauthorized Node.js installations on enterprise systems.

The findings highlight a growing trend in which cybercriminals are exploiting blockchain technology and legitimate software ecosystems to build highly resilient malware infrastructure that can withstand domain blocking and traditional takedown efforts.

The campaign underscores the evolving tactics used by cybercriminals as they increasingly integrate decentralized technologies into malware operations, creating additional challenges for defenders attempting to detect, analyze, and disrupt sophisticated cyber threats.

Previous Post

Japan’s NEC Partners Ava Labs on Blockchain Facial ID Platform

Next Post

Visa, M-Pesa Pilot Stablecoin Cross-Border Payments in Africa

Related Posts

HSBC

HSBC Completes First Blockchain Tokenized Structured Notes

by Kelly Cromley
Jul 10, 2026
0

HSBC has completed its first blockchain-based issuance of a digitally native structured product, marking another step in the bank's digital...

Visa

Visa, M-Pesa Pilot Stablecoin Cross-Border Payments in Africa

by Kelly Cromley
Jul 10, 2026
0

Global payments company Visa has partnered with Safaricom's M-Pesa and pan-African payments network Onafriq to launch a live stablecoin pilot...

Ava Labs

Japan’s NEC Partners Ava Labs on Blockchain Facial ID Platform

by Kelly Cromley
Jul 10, 2026
0

NEC announced on July 10 that it had signed a memorandum of understanding with Ava Labs, the developer of the...

singapore

AI and Blockchain Bring Verified Musang King Durians to Singapore

by Kelly Cromley
Jul 10, 2026
0

Singapore consumers purchasing premium Musang King durians will soon be able to verify the authenticity and origin of every fruit...

Cosmos

Cosmos Partners With Peersyst to Expand Blockchain Infrastructure

by Kelly Cromley
Jul 10, 2026
0

Cosmos (ATOM), the open-source blockchain ecosystem recognized for its interoperability framework, has entered into a formal partnership with Spanish technology...

memetoro

MemeToro Expands AI Blockchain Ecosystem on BNB Chain

by Kelly Cromley
Jul 10, 2026
0

MemeToro has announced plans to expand its blockchain ecosystem on the BNB Chain, with the project aiming to broaden its...

Next Post
Visa

Visa, M-Pesa Pilot Stablecoin Cross-Border Payments in Africa

  • Collé Ai

    Collé: Pioneering AI Web3 Platform Receives Investment Boost from BlackRock

    by Kelly Cromley
    May 13, 2024
  • Router Protocol and OpenWorldSwap Partnership to Revolutionize DEX Market

    by Kelly Cromley
    Aug 6, 2024
  • SmarTrust Brings Blockchain-Powered Escrow to Freelancers

    by Kelly Cromley
    May 1, 2025
  • Hyper Foundation Launched to Boost Hyperliquid Blockchain Development

    by Kelly Cromley
    Oct 15, 2024
  • Blockchain Based Sports Platform SportsMint Unveiled

    by Kelly Cromley
    Apr 30, 2024

Recent News

HSBC
Market News

HSBC Completes First Blockchain Tokenized Structured Notes

by Kelly Cromley
Jul 10, 2026
Visa
Market News

Visa, M-Pesa Pilot Stablecoin Cross-Border Payments in Africa

by Kelly Cromley
Jul 10, 2026
The Open Network (TON)
Market News

Hackers Use TON Blockchain to Evade Malware Detection

by Kelly Cromley
Jul 10, 2026
Ava Labs
Market News

Japan’s NEC Partners Ava Labs on Blockchain Facial ID Platform

by Kelly Cromley
Jul 10, 2026
singapore
Market News

AI and Blockchain Bring Verified Musang King Durians to Singapore

by Kelly Cromley
Jul 10, 2026

Categories

  • Altcoin News
  • Analysis News
  • Binance Coin News
  • Bitcoin News
  • Blog
  • Cardano News
  • Ethereum News
  • ICO News
  • Legislation News
  • Market Forecasts
  • Market News
  • News
  • Ripple News
  • Solana News
  • Tether News
  • XRP
Trustpilot

Cointrust

  • About Us
  • Contact Us
  • Correction Request
  • Our Team

Legal

  • Disclaimer
  • Terms & Conditions
  • Privacy Policy
  • Cookie Policy

Popular

  • ICO Listings
  • Knowledge Base
  • All about Mining
  • Cryptocurrency Exchanges
  • How and Where to buy Cryptocurrency

Sitemap

  • News section
  • Sitemap
  • XML Sitemap

© 2024 CoinTrust.com.

CoinTrustCoinTrust

* DISCLAIMER: All information provided in CoinTrust is merely for informational purposes, we are not an investment advisor and not affiliated with any companies or ICO/Cryptocurrency Projects. To use this website you must accept our cookie policy, Disclaimer and Privacy Policies.

No Result
View All Result
  • News
  • Bitcoin
  • Ethereum
  • Altcoin
  • Market Cap
  • Learn
    • Buying Crypto
    • Crypto Mining
    • Crypto Exchanges
    • Knowledge
  • Crypto Casinos
    • Bitcoin Casinos
    • New Crypto Casinos
    • No KYC Crypto Casinos
    • Anonymous Crypto Casinos
    • VPN Friendly Crypto Casinos
    • Bitcoin Poker
    • Crypto Poker
    • Bitcoin Bingo
    • USDT Casinos
    • Offshore Online Casinos
    • Bitcoin Betting Sites
    • Crypto Sports Betting
    • Reddit’s Best Bitcoin and Crypto Casinos

© 2024 CoinTrust.com.

We use cookies to ensure that we give you the best experience on our website.
If you continue to use this site you agree to allow us to use cookies, in accordance with our Cookie Policy.