← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
Phishing campaign impersonates Booking.com, delivers a suite of credential-stealing malware
WHITE Storm-1865 AlienVault 2025-03-13 Modified: 2025-04-12
9
IOCs
LOW VOLUME
A phishing campaign targeting the hospitality industry impersonates Booking.com to deliver multiple credential-stealing malware. The campaign, tracked as Storm-1865, uses a social engineering technique called ClickFix to trick users into downloading malicious payloads. Targets are sent emails with links to fake Booking.com pages, which prompt users to execute commands that download malware. The campaign delivers various malware families including XWorm, Lumma stealer, VenomRAT, AsyncRAT, Danabot, and NetSupport RAT. Organizations in North America, Oceania, Asia, and Europe are targeted. The threat actor's evolving tactics demonstrate attempts to bypass conventional security measures.
venomratlumma stealernetsupport ratasyncratclickfixcredential-stealingphishingbooking.comdanabotxworm
MITRE ATT&CK & Malware Families
ATT&CK TECHNIQUES
MALWARE FAMILIES
XWorm Lumma stealer VenomRAT AsyncRAT Danabot NetSupport RAT
Indicators of Compromise (9)
All FileHash-MD5 FileHash-SHA1 FileHash-SHA256 domain
TYPEINDICATORDESCRIPTIONCREATED
FileHash-MD5 807fc3c4cee4afeac7db058f7f26530a 2025-03-13
FileHash-MD5 bd480b82bb87e008bf26b5a9590539ca 2025-03-13
FileHash-SHA1 a7e80092743e6bdb4ad67328a00edcaedec7b04e 2025-03-13
FileHash-SHA1 f03eedfd45aa93fa147c4f7ae85cd643ce34f5c4 2025-03-13
FileHash-SHA256 01ec22c3394eb1661255d2cc646db70a66934c979c2c2d03df10127595dc76a6 2025-03-13
FileHash-SHA256 0c96efbde64693bde72f18e1f87d2e2572a334e222584a1948df82e7dcfe241d 2025-03-13
FileHash-SHA256 f87600e4df299d51337d0751bcf9f07966282be0a43bfa3fd237bf50471a981e 2025-03-13
domain micros0ft.com 2025-03-13
domain rnicrosoft.com 2025-03-13
References (1)
↗ https://www.microsoft.com/en-us/security/blog/2025/03/13/phishing-campaign-impersonates-booking-com-delivers-a-suite-of-credential-stealing-malware/