Phishing campaign impersonates Booking.com, delivers a suite of credential-stealing malware

April 14, 2025, 11:28 a.m.

Description

A phishing campaign targeting organizations in the hospitality industry has been identified, impersonating Booking.com and using the ClickFix social engineering technique to deliver multiple credential-stealing malware. The campaign, tracked as Storm-1865, targets individuals likely to work with Booking.com in North America, Oceania, Asia, and Europe. The attack uses fake emails and webpages to trick users into executing malicious commands, leading to the download of various malware families including XWorm, Lumma stealer, VenomRAT, AsyncRAT, Danabot, and NetSupport RAT. The campaign aims to steal financial data and credentials for fraudulent use, showing an evolution in the threat actor's tactics to bypass conventional security measures.

External References

https://www.microsoft.com/en-us/security/blog/2025/03/13/phishing-campaign-impersonates-booking-com-delivers-a-suite-of-credential-stealing-malware
https://otx.alienvault.com/pulse/67fb93e8ebc93d6ded395f39
Tags
xworm
phishing
social engineering
lumma stealer
asyncrat
danabot
venomrat
clickfix
netsupport rat
booking.com
2025-03-13
credential-stealing
2025-04-13

Date

  • Created: April 13, 2025, 10:37 a.m.
  • Published: April 13, 2025, 10:37 a.m.
  • Modified: April 14, 2025, 11:28 a.m.

Attack Patterns

  • Danabot
  • Lumma Stealer
  • VenomRAT
  • NetSupport RAT
  • XWorm
  • AsyncRAT
  • Storm-1865

Additional Informations

  • Hospitality