← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
Booking.com Phishing Campaign Targeting Hotels and Customers
WHITE AlienVault 2025-11-07 Modified: 2025-12-07
109
IOCs
HIGH VOLUME
A sophisticated phishing campaign is targeting the hospitality industry, specifically Booking.com partners and their customers. The attackers first compromise hotel administrators' systems using malware like PureRAT, gaining access to booking management accounts. They then use this access to conduct fraudulent schemes against hotel guests, tricking them into paying twice for their reservations. The campaign employs spear-phishing emails impersonating Booking.com, redirecting victims to malicious sites using the ClickFix social engineering tactic. The attackers leverage a complex infrastructure including compromised legitimate websites, traffic distribution systems, and bulletproof hosting. This operation is part of a broader cybercrime ecosystem targeting booking platforms, with various specialized services being offered on underground forums to facilitate these attacks.
phishingsocial engineeringclickfixhospitalitybooking.compureratcybercrime
MITRE ATT&CK & Malware Families
ATT&CK TECHNIQUES
MALWARE FAMILIES
PureRAT ClickFix
Indicators of Compromise (109)
All domain FileHash-MD5 FileHash-SHA1 FileHash-SHA256 URL hostname
TYPEINDICATORDESCRIPTIONCREATED
domain sqwqwasresbkng.com 2025-11-07
FileHash-MD5 32108a830908f88f9949d6c0cbbaea2e 2025-11-07
FileHash-MD5 51b0c87f9956b1c0a2a9288682cfdbae 2025-11-07
FileHash-MD5 799e73863806df2964d80d12ce4e61ea 2025-11-07
FileHash-MD5 a3cc88c9d37b9007e5b6d3446bf9e1e4 2025-11-07
FileHash-MD5 d4845669f7f56c6c4eb82147a1f82615 2025-11-07
FileHash-SHA1 25f6e7cf30010425523d88c02b4cd147ee8eedf1 2025-11-07
FileHash-SHA1 6cad060b2934c422945c5d706b0701a42e02c145 2025-11-07
FileHash-SHA1 c3eba229c847caa61117c3d0f84efaec7f33a2f7 2025-11-07
FileHash-SHA1 e4885686dc64aeaae61eb67ca715ce4b7e07b670 2025-11-07
FileHash-SHA256 5301f5a3fb8649edb0a5768661d197f872d40cfe7b8252d482827ea27077c1ec 2025-11-07
FileHash-SHA256 64838e0a3e2711b62c4f0d2db5a26396ac7964e31500dbb8e8b1049495b5d1f3 2025-11-07
FileHash-SHA256 703355e8e93f30df19f7f7b8800bd623f1aee1f020c43a4a1e11e121c53b5dd1 2025-11-07
FileHash-SHA256 9bab404584f6a0d9d82112d6e017cfa37d0094d97e510101d6a0132fd145dd32 2025-11-07
URL http://77.83.207.106:56001 2025-11-07
URL http://85.208.84.94:56001 2025-11-07
URL http://activatecapagm.com/j8r3 2025-11-07
URL http://bkngpropadm.com/bomla 2025-11-07
URL http://bkngssercise.com/bomla 2025-11-07
URL http://bknqsercise.com/bomla 2025-11-07
URL http://bqknsieasrs.com/loggqibkng 2025-11-07
URL http://brownsugarcheesecakebar.com/ajm4 2025-11-07
URL http://byliljedahl.com/8anf 2025-11-07
URL http://byliljedahl.com/lv6q 2025-11-07
URL http://cabinetifc.com/upseisser.zip 2025-11-07
URL http://cardverify0006-booking.com/37858999 2025-11-07
URL http://confirmation8324-booking.com/17149438 2025-11-07
URL http://confirmation887-booking.com/17149438 2025-11-07
URL http://cquopymaiqna.com/bomla 2025-11-07
URL http://ctrlcapaserc.com/bomla 2025-11-07
URL http://ctrlcapaserc.com/loggqibkng 2025-11-07
URL http://customvanityco.com/izsb 2025-11-07
URL http://emprotel.net.bo/updserc.zip 2025-11-07
URL http://guest03442-booking.com/17149438 2025-11-07
URL http://hareandhosta.com/95xh 2025-11-07
URL http://headkickscountry.com/lz1y 2025-11-07
URL http://homelycareinc.com/po7r 2025-11-07
URL http://jamerimprovementsllc.com/ao9o 2025-11-07
URL http://seedsuccesspath.com/6m8a 2025-11-07
URL http://verifycard45625-expedia.com/67764524 2025-11-07
URL http://verifyguest02667-booking.com/17149438 2025-11-07
URL http://zenavuurwerkofficial.com/62is 2025-11-07
domain activatecapagm.com 2025-11-07
domain admin-extranet-reservationsexp.com 2025-11-07
domain admin-extranet-reservationsinfos.com 2025-11-07
domain admin-extranetadm-captcha.com 2025-11-07
domain admin-extranetadmns-captcha.com 2025-11-07
domain admin-extranetmngrxz-captcha.com 2025-11-07
domain admin-extranetmnxz-captcha.com 2025-11-07
domain admin-extranetrservq-cstmrq.com 2025-11-07
domain aidaqosmaioa.com 2025-11-07
domain api-notification-centeriones.com 2025-11-07
domain bkngpropadm.com 2025-11-07
domain bkngssercise.com 2025-11-07
domain bknqsercise.com 2025-11-07
domain booking-agreementaprilreviews042025.com 2025-11-07
domain booking-agreementstatementapril0225.com 2025-11-07
domain booking-agreementstatementapril0429.com 2025-11-07
domain booking-aprilreviewstir-9650233.com 2025-11-07
domain booking-confview-doc-00097503843.com 2025-11-07
domain booking-confviewdocum-0079495902.com 2025-11-07
domain booking-refguestitem-09064111.com 2025-11-07
domain booking-reservationinfosid0251358.com 2025-11-07
domain booking-reservationsdetail-id0025911.com 2025-11-07
domain booking-reviewsguestpriv-10101960546.com 2025-11-07
domain booking-viewdocdetails-0975031.com 2025-11-07
domain booking-visitorviewdetails-64464043.com 2025-11-07
domain bookingadmin-updateofmay2705.com 2025-11-07
domain bookreservfadrwer-customer.com 2025-11-07
domain bqknsieasrs.com 2025-11-07
domain breserve-custommessagehelp.com 2025-11-07
domain brownsugarcheesecakebar.com 2025-11-07
domain byliljedahl.com 2025-11-07
domain cabinetifc.com 2025-11-07
domain cardverify0006-booking.com 2025-11-07
domain caspqisoals.com 2025-11-07
domain comsquery.com 2025-11-07
domain confirmation8324-booking.com 2025-11-07
domain confirmation887-booking.com 2025-11-07
domain confirminfo-hotel20may05.com 2025-11-07
domain confsvisitor-missing-items.com 2025-11-07
domain confvisitor-doc.com 2025-11-07
domain contmasqueis.com 2025-11-07
domain cquopymaiqna.com 2025-11-07
domain ctrlcapaserc.com 2025-11-07
domain customvanityco.com 2025-11-07
domain eiscoaqscm.com 2025-11-07
domain emprotel.net.bo 2025-11-07
domain extranet-admin-reservationssept.com 2025-11-07
domain guest03442-booking.com 2025-11-07
domain guestinfo-aboutstay1205.com 2025-11-07
domain guesting-servicesid91202.com 2025-11-07
domain hareandhosta.com 2025-11-07
domain headkickscountry.com 2025-11-07
domain homelycareinc.com 2025-11-07
domain jamerimprovementsllc.com 2025-11-07
domain mccp-logistics.com 2025-11-07
domain mccplogma.com 2025-11-07
domain reserv-captchaapril04152025.com 2025-11-07
domain seedsuccesspath.com 2025-11-07
domain update-info1676.com 2025-11-07
domain update-infos616.com 2025-11-07
domain verifycard45625-expedia.com 2025-11-07
domain verifyguest02667-booking.com 2025-11-07
domain whooamisercise.com 2025-11-07
domain whooamisercisea.com 2025-11-07
domain zenavuurwerkofficial.com 2025-11-07
hostname action.properties.company 2025-11-07
hostname destination.geo.country 2025-11-07
References (1)
↗ https://blog.sekoia.io/phishing-campaigns-i-paid-twice-targeting-booking-com-hotels-and-customers/