← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
IOC - Phishing Campaigns “I Paid Twice” Targeting Booking.com Hotels and Customers
WHITE celestre 2025-11-11 Modified: 2025-12-11
103
IOCs
HIGH VOLUME
A Sekoia partner recently reported a phishing campaign targeting hospitality industry customers worldwide. The campaign was observed to involve either emails sent from a hotel’s compromised Booking.com account or messages distributed via WhatsApp. This activity proved particularly effective because the threat actor possessed customer data, including personal identifiers and reservation details, which further increased the credibility of the phishing attempts.
clickfixpowershell urlclustercsv formatpureratstaging payload
Indicators of Compromise (103)
All domain FileHash-MD5 FileHash-SHA1 FileHash-SHA256 URL
TYPEINDICATORDESCRIPTIONCREATED
domain sqwqwasresbkng.com 2025-11-11
FileHash-MD5 32108a830908f88f9949d6c0cbbaea2e MD5 of 5301f5a3fb8649edb0a5768661d197f872d40cfe7b8252d482827ea27077c1ec 2025-11-11
FileHash-MD5 51b0c87f9956b1c0a2a9288682cfdbae MD5 of 64838e0a3e2711b62c4f0d2db5a26396ac7964e31500dbb8e8b1049495b5d1f3 2025-11-11
FileHash-MD5 a3cc88c9d37b9007e5b6d3446bf9e1e4 MD5 of 703355e8e93f30df19f7f7b8800bd623f1aee1f020c43a4a1e11e121c53b5dd1 2025-11-11
FileHash-SHA1 6cad060b2934c422945c5d706b0701a42e02c145 SHA1 of 64838e0a3e2711b62c4f0d2db5a26396ac7964e31500dbb8e8b1049495b5d1f3 2025-11-11
FileHash-SHA1 c3eba229c847caa61117c3d0f84efaec7f33a2f7 SHA1 of 703355e8e93f30df19f7f7b8800bd623f1aee1f020c43a4a1e11e121c53b5dd1 2025-11-11
FileHash-SHA1 e4885686dc64aeaae61eb67ca715ce4b7e07b670 SHA1 of 5301f5a3fb8649edb0a5768661d197f872d40cfe7b8252d482827ea27077c1ec 2025-11-11
FileHash-SHA256 5301f5a3fb8649edb0a5768661d197f872d40cfe7b8252d482827ea27077c1ec 2025-11-11
FileHash-SHA256 64838e0a3e2711b62c4f0d2db5a26396ac7964e31500dbb8e8b1049495b5d1f3 2025-11-11
FileHash-SHA256 703355e8e93f30df19f7f7b8800bd623f1aee1f020c43a4a1e11e121c53b5dd1 2025-11-11
URL http://77.83.207.106:56001 2025-11-11
URL http://85.208.84.94:56001 2025-11-11
URL http://activatecapagm.com/j8r3 2025-11-11
URL http://bkngpropadm.com/bomla 2025-11-11
URL http://bkngssercise.com/bomla 2025-11-11
URL http://bknqsercise.com/bomla 2025-11-11
URL http://bqknsieasrs.com/loggqibkng 2025-11-11
URL http://brownsugarcheesecakebar.com/ajm4 2025-11-11
URL http://byliljedahl.com/8anf 2025-11-11
URL http://byliljedahl.com/lv6q 2025-11-11
URL http://cabinetifc.com/upseisser.zip 2025-11-11
URL http://cardverify0006-booking.com/37858999 2025-11-11
URL http://confirmation8324-booking.com/17149438 2025-11-11
URL http://confirmation887-booking.com/17149438 2025-11-11
URL http://cquopymaiqna.com/bomla 2025-11-11
URL http://ctrlcapaserc.com/bomla 2025-11-11
URL http://ctrlcapaserc.com/loggqibkng 2025-11-11
URL http://customvanityco.com/izsb 2025-11-11
URL http://emprotel.net.bo/updserc.zip 2025-11-11
URL http://guest03442-booking.com/17149438 2025-11-11
URL http://hareandhosta.com/95xh 2025-11-11
URL http://headkickscountry.com/lz1y 2025-11-11
URL http://homelycareinc.com/po7r 2025-11-11
URL http://jamerimprovementsllc.com/ao9o 2025-11-11
URL http://seedsuccesspath.com/6m8a 2025-11-11
URL http://verifycard45625-expedia.com/67764524 2025-11-11
URL http://verifyguest02667-booking.com/17149438 2025-11-11
URL http://zenavuurwerkofficial.com/62is 2025-11-11
domain activatecapagm.com 2025-11-11
domain admin-extranet-reservationsexp.com 2025-11-11
domain admin-extranet-reservationsinfos.com 2025-11-11
domain admin-extranetadm-captcha.com 2025-11-11
domain admin-extranetadmns-captcha.com 2025-11-11
domain admin-extranetmngrxz-captcha.com 2025-11-11
domain admin-extranetmnxz-captcha.com 2025-11-11
domain admin-extranetrservq-cstmrq.com 2025-11-11
domain aidaqosmaioa.com 2025-11-11
domain api-notification-centeriones.com 2025-11-11
domain bkngpropadm.com 2025-11-11
domain bkngssercise.com 2025-11-11
domain bknqsercise.com 2025-11-11
domain booking-agreementaprilreviews042025.com 2025-11-11
domain booking-agreementstatementapril0225.com 2025-11-11
domain booking-agreementstatementapril0429.com 2025-11-11
domain booking-aprilreviewstir-9650233.com 2025-11-11
domain booking-confview-doc-00097503843.com 2025-11-11
domain booking-confviewdocum-0079495902.com 2025-11-11
domain booking-refguestitem-09064111.com 2025-11-11
domain booking-reservationinfosid0251358.com 2025-11-11
domain booking-reservationsdetail-id0025911.com 2025-11-11
domain booking-reviewsguestpriv-10101960546.com 2025-11-11
domain booking-viewdocdetails-0975031.com 2025-11-11
domain booking-visitorviewdetails-64464043.com 2025-11-11
domain bookingadmin-updateofmay2705.com 2025-11-11
domain bookreservfadrwer-customer.com 2025-11-11
domain bqknsieasrs.com 2025-11-11
domain breserve-custommessagehelp.com 2025-11-11
domain brownsugarcheesecakebar.com 2025-11-11
domain byliljedahl.com 2025-11-11
domain cabinetifc.com 2025-11-11
domain cardverify0006-booking.com 2025-11-11
domain caspqisoals.com 2025-11-11
domain comsquery.com 2025-11-11
domain confirmation8324-booking.com 2025-11-11
domain confirmation887-booking.com 2025-11-11
domain confirminfo-hotel20may05.com 2025-11-11
domain confsvisitor-missing-items.com 2025-11-11
domain confvisitor-doc.com 2025-11-11
domain contmasqueis.com 2025-11-11
domain cquopymaiqna.com 2025-11-11
domain ctrlcapaserc.com 2025-11-11
domain customvanityco.com 2025-11-11
domain eiscoaqscm.com 2025-11-11
domain emprotel.net.bo 2025-11-11
domain extranet-admin-reservationssept.com 2025-11-11
domain guest03442-booking.com 2025-11-11
domain guestinfo-aboutstay1205.com 2025-11-11
domain guesting-servicesid91202.com 2025-11-11
domain hareandhosta.com 2025-11-11
domain headkickscountry.com 2025-11-11
domain homelycareinc.com 2025-11-11
domain jamerimprovementsllc.com 2025-11-11
domain mccp-logistics.com 2025-11-11
domain mccplogma.com 2025-11-11
domain reserv-captchaapril04152025.com 2025-11-11
domain seedsuccesspath.com 2025-11-11
domain update-info1676.com 2025-11-11
domain update-infos616.com 2025-11-11
domain verifycard45625-expedia.com 2025-11-11
domain verifyguest02667-booking.com 2025-11-11
domain whooamisercise.com 2025-11-11
domain whooamisercisea.com 2025-11-11
domain zenavuurwerkofficial.com 2025-11-11
References (1)
↗ https://blog.sekoia.io/phishing-campaigns-i-paid-twice-targeting-booking-com-hotels-and-customers/