{ "type": "Domain", "indicator": "breserve-custommessagehelp.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/breserve-custommessagehelp.com", "alexa": "http://www.alexa.com/siteinfo/breserve-custommessagehelp.com", "indicator": "breserve-custommessagehelp.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 4074006626, "indicator": "breserve-custommessagehelp.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 6, "pulses": [ { "id": "6966a130c50513e1e22f9582", "name": "Booking.com Phishing Campaign Targeting Hotels and Customers", "description": "A sophisticated phishing campaign targeting the hospitality industry has been uncovered, compromising hotel administrators' Booking.com accounts to defraud customers. The attack chain begins with spear-phishing emails impersonating Booking.com, leading to malware infection via the ClickFix social engineering tactic. The malware, identified as PureRAT, allows attackers to steal credentials and access booking platforms. Compromised accounts are then used to send fraudulent messages to hotel guests, tricking them into paying for their reservations a second time. The cybercrime ecosystem supporting these attacks includes services for harvesting hotel administrator contacts, distributing phishing emails, and trading stolen Booking.com account credentials on underground forums.", "modified": "2026-02-12T19:04:25.334000", "created": "2026-01-13T19:46:56.899000", "tags": [ "purerat", "credential theft", "cybercrime", "phishing", "clickfix", "booking.com", "hospitality" ], "references": [ "https://blog.sekoia.io/phishing-campaigns-i-paid-twice-targeting-booking-com-hotels-and-customers" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "PureRAT", "display_name": "PureRAT", "target": null } ], "attack_ids": [ { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1589", "name": "Gather Victim Identity Information", "display_name": "T1589 - Gather Victim Identity Information" }, { "id": "T1586", "name": "Compromise Accounts", "display_name": "T1586 - Compromise Accounts" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" } ], "industries": [ "Hospitality" ], "TLP": "white", "cloned_from": null, "export_count": 30, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "URL": 50, "domain": 66, "FileHash-MD5": 5, "FileHash-SHA1": 4, "FileHash-SHA256": 4 }, "indicator_count": 129, "is_author": false, "is_subscribing": null, "subscriber_count": 386709, "modified_text": "108 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "690dba690d5c272baae78d78", "name": "Booking.com Phishing Campaign Targeting Hotels and Customers", "description": "A sophisticated phishing campaign is targeting the hospitality industry, specifically Booking.com partners and their customers. The attackers first compromise hotel administrators' systems using malware like PureRAT, gaining access to booking management accounts. They then use this access to conduct fraudulent schemes against hotel guests, tricking them into paying twice for their reservations. The campaign employs spear-phishing emails impersonating Booking.com, redirecting victims to malicious sites using the ClickFix social engineering tactic. The attackers leverage a complex infrastructure including compromised legitimate websites, traffic distribution systems, and bulletproof hosting. This operation is part of a broader cybercrime ecosystem targeting booking platforms, with various specialized services being offered on underground forums to facilitate these attacks.", "modified": "2025-12-07T09:00:34.797000", "created": "2025-11-07T09:22:49.812000", "tags": [ "phishing", "social engineering", "clickfix", "hospitality", "booking.com", "purerat", "cybercrime" ], "references": [ "https://blog.sekoia.io/phishing-campaigns-i-paid-twice-targeting-booking-com-hotels-and-customers/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "PureRAT", "display_name": "PureRAT", "target": null }, { "id": "ClickFix", "display_name": "ClickFix", "target": null } ], "attack_ids": [ { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1125", "name": "Video Capture", "display_name": "T1125 - Video Capture" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1574.002", "name": "DLL Side-Loading", "display_name": "T1574.002 - DLL Side-Loading" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [ "Hospitality" ], "TLP": "white", "cloned_from": null, "export_count": 46, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "domain": 66, "FileHash-MD5": 5, "FileHash-SHA1": 4, "FileHash-SHA256": 4, "URL": 28, "hostname": 2 }, "indicator_count": 109, "is_author": false, "is_subscribing": null, "subscriber_count": 386710, "modified_text": "176 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69665d5c109a09813bce8749", "name": "Booking.com Phishing Campaign Targeting Hotels and Customers - Sekoia.io Blog", "description": "A new report from cybersecurity firm Sekoia.io examines a sophisticated phishing campaign targeting Booking.com and its customers around the world, as well as the impact of infostealing malware.", "modified": "2026-02-12T14:01:38.116000", "created": "2026-01-13T14:57:32.880000", "tags": [ "purerat", "clickfix", "booking", "powershell", "zip archive", "run registry", "october", "sekoia soc", "ip address", "c2 server", "facebook", "malicious", "april", "date", "refresh", "quirkyloader", "purecrypter", "twitter", "cluster", "clearfake", "malware", "threat" ], "references": [ "https://blog.sekoia.io/phishing-campaigns-i-paid-twice-targeting-booking-com-hotels-and-customers/" ], "public": 1, "adversary": "Threat", "targeted_countries": [], "malware_families": [ { "id": "PureRAT", "display_name": "PureRAT", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1049", "name": "System Network Connections Discovery", "display_name": "T1049 - System Network Connections Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [ "Hospitality", "Hotel", "Banking" ], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 5, "FileHash-SHA1": 4, "FileHash-SHA256": 4, "URL": 28, "domain": 70, "hostname": 2 }, "indicator_count": 113, "is_author": false, "is_subscribing": null, "subscriber_count": 862, "modified_text": "109 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "694c0be21992e1c8f5d39e53", "name": "B2B2C Supply Chain Attack: Hotels Booking Accounts Compromised to Target Customers", "description": "Since May 2025, a cyber threat actor has been engaged in a B2B2C supply chain attack focusing on compromising hotel booking management accounts, specifically targeting http://Booking.com customers. Nearly 1,000 fraudulent booking and hotel reservation domains have been generated to facilitate this operation. The attack is characterized by the use of urgent notifications, labeled as \"verify or cancel,\" which direct users to external phishing sites. These sites are designed to dynamically load the victim's actual reservation details, effectively tricking users into disclosing sensitive payment information.\n\nThe initial vector for this attack involved compromising hotel staff accounts to gain access to booking platform credentials. This operation aligns with previous phishing campaigns reported, such as the \"I Paid Twice\" campaign, indicating a potential connection between the attackers targeting hotel credentials and those executing the phishing attacks.", "modified": "2025-12-24T15:50:58.187000", "created": "2025-12-24T15:50:58.187000", "tags": [ "domain" ], "references": [ "https://dti.domaintools.com/b2b2c-supply-chain-attack-hotels-booking-accounts-compromised-to-target-customers/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1584", "name": "Compromise Infrastructure", "display_name": "T1584 - Compromise Infrastructure" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 214 }, "indicator_count": 214, "is_author": false, "is_subscribing": null, "subscriber_count": 540, "modified_text": "159 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6916aa77dacfe4a69f394336", "name": "EbeeNov2025 Pt3", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2025-12-20T21:02:55.026000", "created": "2025-11-14T04:05:11.738000", "tags": [ "filehashmd5", "filehashsha1", "filehashsha256" ], "references": [ "Nov.Week2.csv" ], "public": 1, "adversary": "SmudgedSerpent, Sneaky Malware, XLoader, DragonForce, NGATE Android Malware, Phatom Raven, TA4428", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 4, "FileHash-MD5": 157, "FileHash-SHA1": 100, "FileHash-SHA256": 131, "URL": 117, "domain": 263, "hostname": 18, "email": 1 }, "indicator_count": 791, "is_author": false, "is_subscribing": null, "subscriber_count": 39, "modified_text": "162 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6912cd713cf012eceb06e900", "name": "IOC - Phishing Campaigns \u201cI Paid Twice\u201d Targeting Booking.com Hotels and Customers", "description": "A Sekoia partner recently reported a phishing campaign targeting hospitality industry customers worldwide. The campaign was observed to involve either emails sent from a hotel\u2019s compromised Booking.com account or messages distributed via WhatsApp. This activity proved particularly effective because the threat actor possessed customer data, including personal identifiers and reservation details, which further increased the credibility of the phishing attempts.", "modified": "2025-12-11T05:03:22.474000", "created": "2025-11-11T05:45:21.863000", "tags": [ "clickfix", "powershell url", "cluster", "csv format", "purerat", "staging payload" ], "references": [ "https://blog.sekoia.io/phishing-campaigns-i-paid-twice-targeting-booking-com-hotels-and-customers/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 66, "FileHash-MD5": 3, "FileHash-SHA1": 3, "FileHash-SHA256": 3, "URL": 28 }, "indicator_count": 103, "is_author": false, "is_subscribing": null, "subscriber_count": 141, "modified_text": "172 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "Nov.Week2.csv", "https://dti.domaintools.com/b2b2c-supply-chain-attack-hotels-booking-accounts-compromised-to-target-customers/", "https://blog.sekoia.io/phishing-campaigns-i-paid-twice-targeting-booking-com-hotels-and-customers/", "https://blog.sekoia.io/phishing-campaigns-i-paid-twice-targeting-booking-com-hotels-and-customers" ], "related": { "alienvault": { "adversary": [], "malware_families": [ "Clickfix", "Purerat" ], "industries": [ "Hospitality" ] }, "other": { "adversary": [ "Threat", "SmudgedSerpent, Sneaky Malware, XLoader, DragonForce, NGATE Android Malware, Phatom Raven, TA4428" ], "malware_families": [ "Purerat" ], "industries": [ "Banking", "Hotel", "Hospitality" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 6, "pulses": [ { "id": "6966a130c50513e1e22f9582", "name": "Booking.com Phishing Campaign Targeting Hotels and Customers", "description": "A sophisticated phishing campaign targeting the hospitality industry has been uncovered, compromising hotel administrators' Booking.com accounts to defraud customers. The attack chain begins with spear-phishing emails impersonating Booking.com, leading to malware infection via the ClickFix social engineering tactic. The malware, identified as PureRAT, allows attackers to steal credentials and access booking platforms. Compromised accounts are then used to send fraudulent messages to hotel guests, tricking them into paying for their reservations a second time. The cybercrime ecosystem supporting these attacks includes services for harvesting hotel administrator contacts, distributing phishing emails, and trading stolen Booking.com account credentials on underground forums.", "modified": "2026-02-12T19:04:25.334000", "created": "2026-01-13T19:46:56.899000", "tags": [ "purerat", "credential theft", "cybercrime", "phishing", "clickfix", "booking.com", "hospitality" ], "references": [ "https://blog.sekoia.io/phishing-campaigns-i-paid-twice-targeting-booking-com-hotels-and-customers" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "PureRAT", "display_name": "PureRAT", "target": null } ], "attack_ids": [ { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1589", "name": "Gather Victim Identity Information", "display_name": "T1589 - Gather Victim Identity Information" }, { "id": "T1586", "name": "Compromise Accounts", "display_name": "T1586 - Compromise Accounts" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" } ], "industries": [ "Hospitality" ], "TLP": "white", "cloned_from": null, "export_count": 30, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "URL": 50, "domain": 66, "FileHash-MD5": 5, "FileHash-SHA1": 4, "FileHash-SHA256": 4 }, "indicator_count": 129, "is_author": false, "is_subscribing": null, "subscriber_count": 386709, "modified_text": "108 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "690dba690d5c272baae78d78", "name": "Booking.com Phishing Campaign Targeting Hotels and Customers", "description": "A sophisticated phishing campaign is targeting the hospitality industry, specifically Booking.com partners and their customers. The attackers first compromise hotel administrators' systems using malware like PureRAT, gaining access to booking management accounts. They then use this access to conduct fraudulent schemes against hotel guests, tricking them into paying twice for their reservations. The campaign employs spear-phishing emails impersonating Booking.com, redirecting victims to malicious sites using the ClickFix social engineering tactic. The attackers leverage a complex infrastructure including compromised legitimate websites, traffic distribution systems, and bulletproof hosting. This operation is part of a broader cybercrime ecosystem targeting booking platforms, with various specialized services being offered on underground forums to facilitate these attacks.", "modified": "2025-12-07T09:00:34.797000", "created": "2025-11-07T09:22:49.812000", "tags": [ "phishing", "social engineering", "clickfix", "hospitality", "booking.com", "purerat", "cybercrime" ], "references": [ "https://blog.sekoia.io/phishing-campaigns-i-paid-twice-targeting-booking-com-hotels-and-customers/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "PureRAT", "display_name": "PureRAT", "target": null }, { "id": "ClickFix", "display_name": "ClickFix", "target": null } ], "attack_ids": [ { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1125", "name": "Video Capture", "display_name": "T1125 - Video Capture" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1574.002", "name": "DLL Side-Loading", "display_name": "T1574.002 - DLL Side-Loading" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [ "Hospitality" ], "TLP": "white", "cloned_from": null, "export_count": 46, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "domain": 66, "FileHash-MD5": 5, "FileHash-SHA1": 4, "FileHash-SHA256": 4, "URL": 28, "hostname": 2 }, "indicator_count": 109, "is_author": false, "is_subscribing": null, "subscriber_count": 386710, "modified_text": "176 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69665d5c109a09813bce8749", "name": "Booking.com Phishing Campaign Targeting Hotels and Customers - Sekoia.io Blog", "description": "A new report from cybersecurity firm Sekoia.io examines a sophisticated phishing campaign targeting Booking.com and its customers around the world, as well as the impact of infostealing malware.", "modified": "2026-02-12T14:01:38.116000", "created": "2026-01-13T14:57:32.880000", "tags": [ "purerat", "clickfix", "booking", "powershell", "zip archive", "run registry", "october", "sekoia soc", "ip address", "c2 server", "facebook", "malicious", "april", "date", "refresh", "quirkyloader", "purecrypter", "twitter", "cluster", "clearfake", "malware", "threat" ], "references": [ "https://blog.sekoia.io/phishing-campaigns-i-paid-twice-targeting-booking-com-hotels-and-customers/" ], "public": 1, "adversary": "Threat", "targeted_countries": [], "malware_families": [ { "id": "PureRAT", "display_name": "PureRAT", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1049", "name": "System Network Connections Discovery", "display_name": "T1049 - System Network Connections Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [ "Hospitality", "Hotel", "Banking" ], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 5, "FileHash-SHA1": 4, "FileHash-SHA256": 4, "URL": 28, "domain": 70, "hostname": 2 }, "indicator_count": 113, "is_author": false, "is_subscribing": null, "subscriber_count": 862, "modified_text": "109 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "694c0be21992e1c8f5d39e53", "name": "B2B2C Supply Chain Attack: Hotels Booking Accounts Compromised to Target Customers", "description": "Since May 2025, a cyber threat actor has been engaged in a B2B2C supply chain attack focusing on compromising hotel booking management accounts, specifically targeting http://Booking.com customers. Nearly 1,000 fraudulent booking and hotel reservation domains have been generated to facilitate this operation. The attack is characterized by the use of urgent notifications, labeled as \"verify or cancel,\" which direct users to external phishing sites. These sites are designed to dynamically load the victim's actual reservation details, effectively tricking users into disclosing sensitive payment information.\n\nThe initial vector for this attack involved compromising hotel staff accounts to gain access to booking platform credentials. This operation aligns with previous phishing campaigns reported, such as the \"I Paid Twice\" campaign, indicating a potential connection between the attackers targeting hotel credentials and those executing the phishing attacks.", "modified": "2025-12-24T15:50:58.187000", "created": "2025-12-24T15:50:58.187000", "tags": [ "domain" ], "references": [ "https://dti.domaintools.com/b2b2c-supply-chain-attack-hotels-booking-accounts-compromised-to-target-customers/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1584", "name": "Compromise Infrastructure", "display_name": "T1584 - Compromise Infrastructure" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 214 }, "indicator_count": 214, "is_author": false, "is_subscribing": null, "subscriber_count": 540, "modified_text": "159 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6916aa77dacfe4a69f394336", "name": "EbeeNov2025 Pt3", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2025-12-20T21:02:55.026000", "created": "2025-11-14T04:05:11.738000", "tags": [ "filehashmd5", "filehashsha1", "filehashsha256" ], "references": [ "Nov.Week2.csv" ], "public": 1, "adversary": "SmudgedSerpent, Sneaky Malware, XLoader, DragonForce, NGATE Android Malware, Phatom Raven, TA4428", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 4, "FileHash-MD5": 157, "FileHash-SHA1": 100, "FileHash-SHA256": 131, "URL": 117, "domain": 263, "hostname": 18, "email": 1 }, "indicator_count": 791, "is_author": false, "is_subscribing": null, "subscriber_count": 39, "modified_text": "162 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6912cd713cf012eceb06e900", "name": "IOC - Phishing Campaigns \u201cI Paid Twice\u201d Targeting Booking.com Hotels and Customers", "description": "A Sekoia partner recently reported a phishing campaign targeting hospitality industry customers worldwide. The campaign was observed to involve either emails sent from a hotel\u2019s compromised Booking.com account or messages distributed via WhatsApp. This activity proved particularly effective because the threat actor possessed customer data, including personal identifiers and reservation details, which further increased the credibility of the phishing attempts.", "modified": "2025-12-11T05:03:22.474000", "created": "2025-11-11T05:45:21.863000", "tags": [ "clickfix", "powershell url", "cluster", "csv format", "purerat", "staging payload" ], "references": [ "https://blog.sekoia.io/phishing-campaigns-i-paid-twice-targeting-booking-com-hotels-and-customers/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 66, "FileHash-MD5": 3, "FileHash-SHA1": 3, "FileHash-SHA256": 3, "URL": 28 }, "indicator_count": 103, "is_author": false, "is_subscribing": null, "subscriber_count": 141, "modified_text": "172 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "breserve-custommessagehelp.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "breserve-custommessagehelp.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780331989.7019892 }