← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
IOC - Phishing Campaigns “I Paid Twice” Targeting Booking.com Hotels and Customers
WHITE celestre 2025-11-11 Modified: 2025-12-11
103
IOCs
HIGH VOLUME
A Sekoia partner recently reported a phishing campaign targeting hospitality industry customers worldwide. The campaign was observed to involve either emails sent from a hotel’s compromised Booking.com account or messages distributed via WhatsApp. This activity proved particularly effective because the threat actor possessed customer data, including personal identifiers and reservation details, which further increased the credibility of the phishing attempts.
clickfixpowershell urlclustercsv formatpureratstaging payload
Indicators of Compromise (3 / 103 total)
All domain FileHash-MD5 FileHash-SHA1 FileHash-SHA256 URL
TYPEINDICATORDESCRIPTIONCREATED
FileHash-MD5 32108a830908f88f9949d6c0cbbaea2e MD5 of 5301f5a3fb8649edb0a5768661d197f872d40cfe7b8252d482827ea27077c1ec 2025-11-11
FileHash-MD5 51b0c87f9956b1c0a2a9288682cfdbae MD5 of 64838e0a3e2711b62c4f0d2db5a26396ac7964e31500dbb8e8b1049495b5d1f3 2025-11-11
FileHash-MD5 a3cc88c9d37b9007e5b6d3446bf9e1e4 MD5 of 703355e8e93f30df19f7f7b8800bd623f1aee1f020c43a4a1e11e121c53b5dd1 2025-11-11
References (1)
↗ https://blog.sekoia.io/phishing-campaigns-i-paid-twice-targeting-booking-com-hotels-and-customers/