Phishing campaign impersonates Booking.com, delivers a suite of credential-stealing malware

March 13, 2025, 6:59 p.m.

Description

A phishing campaign targeting the hospitality industry impersonates Booking.com to deliver multiple credential-stealing malware. The campaign, tracked as Storm-1865, uses a social engineering technique called ClickFix to trick users into downloading malicious payloads. Targets are sent emails with links to fake Booking.com pages, which prompt users to execute commands that download malware. The campaign delivers various malware families including XWorm, Lumma stealer, VenomRAT, AsyncRAT, Danabot, and NetSupport RAT. Organizations in North America, Oceania, Asia, and Europe are targeted. The threat actor's evolving tactics demonstrate attempts to bypass conventional security measures.

Date

  • Created: March 13, 2025, 4:57 p.m.
  • Published: March 13, 2025, 4:57 p.m.
  • Modified: March 13, 2025, 6:59 p.m.

Indicators

  • 01ec22c3394eb1661255d2cc646db70a66934c979c2c2d03df10127595dc76a6
  • f87600e4df299d51337d0751bcf9f07966282be0a43bfa3fd237bf50471a981e
  • 0c96efbde64693bde72f18e1f87d2e2572a334e222584a1948df82e7dcfe241d
  • 87.121.221.124
  • 31.177.110.99
  • 92.255.57.155
  • 185.149.146.164
  • 185.7.214.54
  • 176.113.115.225
  • 176.113.115.170
  • 147.45.44.131
  • rnicrosoft.com
  • micros0ft.com

Attack Patterns

  • Danabot
  • Lumma stealer
  • VenomRAT
  • NetSupport RAT
  • XWorm
  • AsyncRAT
  • Storm-1865
  • T1119
  • T1012
  • T1114
  • T1555
  • T1113
  • T1123
  • T1005
  • T1016
  • T1559
  • T1547
  • T1082
  • T1057
  • T1083
  • T1543
  • T1204
  • T1033
  • T1112
  • T1056
  • T1566
  • T1059

Additional Informations

  • Hospitality
  • United States of America