Threats Vulnerabilities

New TonRAT Phishing Attack Abuses Calendly & Google Links

Written by Nandini G Dyavanagowdra | Jul 8, 2026 7:19:29 AM

Observation Summary

ProArch SOC has observed an active phishing campaign delivering the TonRAT remote access trojan (RAT) by abusing trusted services including Calendly email notifications and Google redirect links.

The campaign usessocial engineering and authentication laundering to make phishing emails appear legitimate. Victims are redirected through multiple trusted services before downloading a malicious ZIP archive containing a disguised Windows shortcut (.LNK) file. Once executed, the malware installs a Node.js-based implant that provides persistent remote access to compromised systems.

Because the attack abuses legitimate platforms, it may bypass traditional email and web reputation controls.

How Does the TonRAT Phishing Campaign Work?

Step 1: Phishing Emails Create Urgency
Phishing emails impersonate customer facing communications such as guest complaints, inquiries, reviews, booking-related messages, health inspections, and service notifications. These types of emails create urgency and increase the likelihood of user interaction.

Step 2: Trusted Services Increase Credibility
Attackers abuse legitimate services, including Calendly email notifications and Google redirect functionality, to increase trust and bypass traditional email and web filtering mechanisms.

The campaign leverages authentication laundering, allowing malicious emails to pass SPF, DKIM, and DMARC validation checks while delivering attacker-controlled links.

Step 3: Multiple Redirects Hide the Final Destination
Victims are redirected through a multi-hop chain consisting of Calendly URLs, Google Share links, Google redirect services, and Cloudflare-protected .cfd domains. The final landing pages are gated behind Cloudflare Turnstile challenges before payload delivery

Step 4: ZIP Archive Delivers the Malware
The malicious websites host photo-themed ZIP archives containing Windows shortcut (.LNK) files disguised as image files.

When opened, the shortcut triggers heavily obfuscated PowerShell commands that decode and retrieve additional payloads.

Step 5: TonRAT Establishes Persistence
The PowerShell payload downloads and stages a legitimate Node.js runtime in user-writable directories before executing the TonRAT JavaScript implant.

TonRAT establishes persistence through multiple registry-based mechanisms, increasing resilience against remediation efforts.

The malware communicates over encrypted WebSocket connections and may leverage the TON API to dynamically resolve command-and-control (C2) infrastructure, complicating traditional network based detection efforts.

Post compromise activity may include

  • headless browser automation
  • geolocation checks
  • forced system shutdown commands, and malware staging activities

Why Is This Campaign Dangerous?

A successful compromise may allow attacker-operated TonRAT implants to:

  • Maintain persistent access
  • Conduct system reconnaissance
  • Steal credentials
  • Deploy additional malware
  • Enable lateral movement within the environment

The abuse of trusted services significantly increases the likelihood of user interaction and may reduce the effectiveness of traditional reputation-based security controls.

How Can Organizations Detect or Reduce Risk?

Strengthen User Awareness
Educate users to verify unexpected emails containing complaints, inquiries, reviews, inspection notices, booking requests, or file download requests, even when they appear to originate from trusted platforms such as Calendly.

Monitor Suspicious File Activity
Block or monitor ZIP archives containing .LNK shortcuts and prevent execution of .LNK files from Downloads, Temp, email, or other user-writable locations.

Detect PowerShell Abuse
Monitor PowerShell activity for obfuscation techniques, script-based downloads, and execution from unusual parent processes.

Monitor Unexpected Node.js Execution
Investigate unexpected execution of Node.js (node.exe) from AppData, Temp, Downloads, or other user writable directories.

Watch for Persistence Techniques
Monitor for Registry Run and RunOnce key modifications associated with persistence mechanisms.

Investigate Suspicious System Activity
Investigate browser automation activity (–headless, –no-sandbox) and unexpected system management actions such as shutdown commands originating from PowerShell or Node.js processes.

Monitor Network Indicators

  • Monitor and block connections to suspicious or newly registered .cfd domains.
  • Additionally, monitor network traffic for unusual outbound connections on ports 8443, 8445, 8453, 5555, and 56001–56003, as well as potential WebSocket-based C2 communications.

ProArch's MDR service continuously monitors these network indicators and known TonRAT infrastructure for early detection