{ "type": "Domain", "indicator": "micros0ft.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/micros0ft.com", "alexa": "http://www.alexa.com/siteinfo/micros0ft.com", "indicator": "micros0ft.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 4046593657, "indicator": "micros0ft.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 9, "pulses": [ { "id": "67d30e5c763aea4dce897014", "name": "Phishing campaign impersonates Booking.com, delivers a suite of credential-stealing malware", "description": "A phishing campaign targeting the hospitality industry impersonates Booking.com to deliver multiple credential-stealing malware. The campaign, tracked as Storm-1865, uses a social engineering technique called ClickFix to trick users into downloading malicious payloads. Targets are sent emails with links to fake Booking.com pages, which prompt users to execute commands that download malware. The campaign delivers various malware families including XWorm, Lumma stealer, VenomRAT, AsyncRAT, Danabot, and NetSupport RAT. Organizations in North America, Oceania, Asia, and Europe are targeted. The threat actor's evolving tactics demonstrate attempts to bypass conventional security measures.", "modified": "2025-04-12T16:05:48.385000", "created": "2025-03-13T16:57:00.629000", "tags": [ "venomrat", "lumma stealer", "netsupport rat", "asyncrat", "clickfix", "credential-stealing", "phishing", "booking.com", "danabot", "xworm" ], "references": [ "https://www.microsoft.com/en-us/security/blog/2025/03/13/phishing-campaign-impersonates-booking-com-delivers-a-suite-of-credential-stealing-malware/" ], "public": 1, "adversary": "Storm-1865", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "XWorm", "display_name": "XWorm", "target": null }, { "id": "Lumma stealer", "display_name": "Lumma stealer", "target": null }, { "id": "VenomRAT", "display_name": "VenomRAT", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Danabot", "display_name": "Danabot", "target": null }, { "id": "NetSupport RAT", "display_name": "NetSupport RAT", "target": null } ], "attack_ids": [ { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1123", "name": "Audio Capture", "display_name": "T1123 - Audio Capture" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1559", "name": "Inter-Process Communication", "display_name": "T1559 - Inter-Process Communication" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" } ], "industries": [ "Hospitality" ], "TLP": "white", "cloned_from": null, "export_count": 66, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 3, "domain": 2 }, "indicator_count": 9, "is_author": false, "is_subscribing": null, "subscriber_count": 386552, "modified_text": "414 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "697a9015a6b6986b45485d39", "name": "EbeeJan2026 Pt5", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-02-27T22:03:31.816000", "created": "2026-01-28T22:39:17.725000", "tags": [ "filehashsha256", "filehashmd5", "filehashsha1" ], "references": [ "IOCs.csv" ], "public": 1, "adversary": "PhantomCore, Campaign Targeting Leveraging VS Code, Watering Hole Attack Targets EmEditor Users", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 3, "FileHash-MD5": 212, "FileHash-SHA1": 212, "FileHash-SHA256": 338, "URL": 16, "domain": 109, "email": 7, "hostname": 83 }, "indicator_count": 980, "is_author": false, "is_subscribing": null, "subscriber_count": 42, "modified_text": "92 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6977c393433ff631bf86e558", "name": "Hackers Use \u2018rn\u2019 Typo Trick in New Marriott Phishing Campaign", "description": "", "modified": "2026-01-26T19:42:11.435000", "created": "2026-01-26T19:42:11.435000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 5 }, "indicator_count": 5, "is_author": false, "is_subscribing": null, "subscriber_count": 501, "modified_text": "124 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69776bd5e5c5a64b0cbddf28", "name": "Hackers Use \u2018rn\u2019 Typo Trick to Impersonate Microsoft and Marriott in New Phishing Attack", "description": "A sophisticated phishing campaign is targeting customers of Marriott International and Microsoft, using a typo trick that mimics the company\u2019s official logo and layout, according to security firm Netcraft.", "modified": "2026-01-26T13:27:49.949000", "created": "2026-01-26T13:27:49.949000", "tags": [ "microsoft", "marriott", "netcraft", "microsoft users", "fire harley", "sugarman", "anagram", "microsoft logo", "difference", "compromise", "look" ], "references": [ "https://cybersecuritynews.com/rn-typo-phishing-attack/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [ "Hotel" ], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 5 }, "indicator_count": 5, "is_author": false, "is_subscribing": null, "subscriber_count": 863, "modified_text": "125 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69766f2d6725a71097054cd9", "name": "Hackers Use rn Typo Trick to Impersonate Microsoft and Marriott in New Phishing Attack", "description": "A recent phishing campaign has emerged that employs a sophisticated technique known as \"homoglyph\" attacks, targeting customers of both Marriott International and Microsoft. Attackers are utilizing a typographical trick that replaces the letter \"m\" with the combination of \"rn\" (the characters r and n), creating fraudulent domains that closely mimic the legitimate websites of these well-known brands.\n\nIn the case of Marriott International, a security firm named Netcraft has reported the discovery of several malicious domains specifically designed to impersonate the hotel chain. These fake websites aim to deceive users into revealing their loyalty account credentials or other sensitive personal information related to hotel bookings and guest data. The close resemblance to legitimate domains raises the risk of unsuspecting customers falling victim to these phishing efforts.", "modified": "2026-01-25T19:29:49.547000", "created": "2026-01-25T19:29:49.547000", "tags": [ "microsoft", "marriott", "netcraft", "microsoft users", "fire harley", "anagram", "microsoft logo", "difference", "compromise", "look", "critical", "marriott hotels", "login", "high", "mobile" ], "references": [ "https://cybersecuritynews.com/rn-typo-phishing-attack/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" } ], "industries": [ "Hotel" ], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 5 }, "indicator_count": 5, "is_author": false, "is_subscribing": null, "subscriber_count": 539, "modified_text": "125 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6926add1749cbe0cf32d328b", "name": "Sophisticated Typosquatting Technique Uses \u2018rn\u2019 Illusion to Deceive Microsoft Users", "description": "", "modified": "2025-11-26T07:35:45.607000", "created": "2025-11-26T07:35:45.607000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "vijay2752", "id": "368558", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 2 }, "indicator_count": 2, "is_author": false, "is_subscribing": null, "subscriber_count": 21, "modified_text": "186 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67d4080c7132d93dd7271982", "name": "Phishing campaign impersonates Booking .com, delivers a suite of credential-stealing malware | Microsoft Security Blog", "description": "", "modified": "2025-04-13T10:01:22.721000", "created": "2025-03-14T10:42:20.540000", "tags": [ "microsoft", "asim", "clickfix", "storm1865", "office", "sha256", "copilot", "trojan", "iocs", "dstipaddr", "lumma stealer", "february", "venomrat", "asyncrat", "danabot", "powershell", "contact", "defender", "suspicious", "look", "sentinel", "model", "malware", "twitter" ], "references": [ "https://www.microsoft.com/en-us/security/blog/2025/03/13/phishing-campaign-impersonates-booking-com-delivers-a-suite-of-credential-stealing-malware/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 32, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3, "FileHash-SHA1": 3, "FileHash-SHA256": 3, "domain": 2 }, "indicator_count": 11, "is_author": false, "is_subscribing": null, "subscriber_count": 863, "modified_text": "413 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67d38fdea0268f4a1d6f1916", "name": "IOC&TTP - Phishing campaign impersonates Booking .com, delivers a suite of credential-stealing malware", "description": "\u81ea2024\u5e7412\u6708\u8d77\uff0c\u5fae\u8f6f\u5a01\u80c1\u60c5\u62a5\u56e2\u961f\u53d1\u73b0\u4e86\u4e00\u573a\u9488\u5bf9Booking.com\u7684\u7f51\u7edc\u9493\u9c7c\u6d3b\u52a8\uff0c\u8be5\u6d3b\u52a8\u5229\u7528\u793e\u4f1a\u5de5\u7a0b\u6280\u672fClickFix\uff0c\u5411\u53d7\u5bb3\u8005\u6295\u653e\u591a\u4e2a\u51ed\u636e\u7a83\u53d6\u6076\u610f\u8f6f\u4ef6\uff0c\u4ee5\u8fdb\u884c\u91d1\u878d\u6b3a\u8bc8\u548c\u6570\u636e\u7a83\u53d6\u3002\u76ee\u524d\uff0c\u8be5\u6d3b\u52a8\u4ecd\u5728\u6301\u7eed\u3002\n\n\u8be5\u653b\u51fb\u4e3b\u8981\u9488\u5bf9\u5317\u7f8e\u3001\u6b27\u6d32\u3001\u5357\u4e9a\u3001\u4e1c\u5357\u4e9a\u548c\u5927\u6d0b\u6d32\u7684\u9152\u5e97\u884c\u4e1a\uff0c\u653b\u51fb\u8005\u5192\u5145Booking.com\u5411\u76f8\u5173\u4f01\u4e1a\u5458\u5de5\u53d1\u9001\u4f2a\u9020\u90ae\u4ef6\uff0c\u8bf1\u5bfc\u4ed6\u4eec\u70b9\u51fb\u6076\u610f\u94fe\u63a5\u6216\u6253\u5f00\u5e26\u6709\u6076\u610f\u94fe\u63a5\u7684PDF\u9644\u4ef6\u3002\u8fd9\u4e9b\u9493\u9c7c\u9875\u9762\u901a\u5e38\u6a21\u62dfBooking.com\u7f51\u7ad9\uff0c\u5e76\u5229\u7528**\u4f2a\u9020\u7684\u9a8c\u8bc1\u7801\uff08CAPTCHA\uff09**\u589e\u5f3a\u53ef\u4fe1\u5ea6\u3002\n\n\u5728ClickFix\u6280\u672f\u7684\u5b9e\u65bd\u4e2d\uff0c\u653b\u51fb\u8005\u5f15\u5bfc\u7528\u6237\u5728Windows\u7cfb\u7edf\u4e2d\u4f7f\u7528\u5feb\u6377\u952e\u6253\u5f00\u201c\u8fd0\u884c\u201d\u7a97\u53e3\uff0c\u7136\u540e\u590d\u5236\u5e76\u6267\u884c\u4e00\u4e2a\u7531\u9493\u9c7c\u9875\u9762\u63d0\u4f9b\u7684\u6076\u610f\u547d\u4ee4\u3002\u8be5\u547d\u4ee4\u901a\u5e38\u901a\u8fc7mshta.exe\u4e0b\u8f7d\u548c\u6267\u884c\u6076\u610f\u4ee3\u7801\uff0c\u4ece\u800c\u611f\u67d3\u76ee\u6807\u8bbe\u5907\u3002", "modified": "2025-04-12T16:05:48.385000", "created": "2025-03-14T02:09:34.286000", "tags": [ "venomrat", "lumma stealer", "netsupport rat", "asyncrat", "clickfix", "credential-stealing", "phishing", "booking.com", "danabot", "xworm" ], "references": [ "https://www.microsoft.com/en-us/security/blog/2025/03/13/phishing-campaign-impersonates-booking-com-delivers-a-suite-of-credential-stealing-malware/" ], "public": 1, "adversary": "Storm-1865", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "XWorm", "display_name": "XWorm", "target": null }, { "id": "Lumma stealer", "display_name": "Lumma stealer", "target": null }, { "id": "VenomRAT", "display_name": "VenomRAT", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Danabot", "display_name": "Danabot", "target": null }, { "id": "NetSupport RAT", "display_name": "NetSupport RAT", "target": null } ], "attack_ids": [ { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1123", "name": "Audio Capture", "display_name": "T1123 - Audio Capture" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1559", "name": "Inter-Process Communication", "display_name": "T1559 - Inter-Process Communication" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" } ], "industries": [ "Hospitality" ], "TLP": "white", "cloned_from": "67d30e5c763aea4dce897014", "export_count": 32, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 3, "domain": 2 }, "indicator_count": 9, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "414 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67d8f41525c7fe47c744f49b", "name": "Phishing campaign impersonates Booking .com, delivers a suite of credential-stealing malware", "description": "", "modified": "2025-04-12T16:05:48.385000", "created": "2025-03-18T04:18:29.752000", "tags": [ "venomrat", "lumma stealer", "netsupport rat", "asyncrat", "clickfix", "credential-stealing", "phishing", "booking.com", "danabot", "xworm" ], "references": [ "https://www.microsoft.com/en-us/security/blog/2025/03/13/phishing-campaign-impersonates-booking-com-delivers-a-suite-of-credential-stealing-malware/" ], "public": 1, "adversary": "Storm-1865", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "XWorm", "display_name": "XWorm", "target": null }, { "id": "Lumma stealer", "display_name": "Lumma stealer", "target": null }, { "id": "VenomRAT", "display_name": "VenomRAT", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Danabot", "display_name": "Danabot", "target": null }, { "id": "NetSupport RAT", "display_name": "NetSupport RAT", "target": null } ], "attack_ids": [ { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1123", "name": "Audio Capture", "display_name": "T1123 - Audio Capture" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1559", "name": "Inter-Process Communication", "display_name": "T1559 - Inter-Process Communication" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" } ], "industries": [ "Hospitality" ], "TLP": "white", "cloned_from": "67d30e5c763aea4dce897014", "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 3, "domain": 2 }, "indicator_count": 9, "is_author": false, "is_subscribing": null, "subscriber_count": 277, "modified_text": "414 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://www.microsoft.com/en-us/security/blog/2025/03/13/phishing-campaign-impersonates-booking-com-delivers-a-suite-of-credential-stealing-malware/", "IOCs.csv", "https://cybersecuritynews.com/rn-typo-phishing-attack/" ], "related": { "alienvault": { "adversary": [ "Storm-1865" ], "malware_families": [ "Asyncrat", "Danabot", "Xworm", "Venomrat", "Netsupport rat", "Lumma stealer" ], "industries": [ "Hospitality" ] }, "other": { "adversary": [ "Storm-1865", "PhantomCore, Campaign Targeting Leveraging VS Code, Watering Hole Attack Targets EmEditor Users" ], "malware_families": [ "Asyncrat", "Danabot", "Xworm", "Venomrat", "Netsupport rat", "Lumma stealer" ], "industries": [ "Hospitality", "Hotel" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 9, "pulses": [ { "id": "67d30e5c763aea4dce897014", "name": "Phishing campaign impersonates Booking.com, delivers a suite of credential-stealing malware", "description": "A phishing campaign targeting the hospitality industry impersonates Booking.com to deliver multiple credential-stealing malware. The campaign, tracked as Storm-1865, uses a social engineering technique called ClickFix to trick users into downloading malicious payloads. Targets are sent emails with links to fake Booking.com pages, which prompt users to execute commands that download malware. The campaign delivers various malware families including XWorm, Lumma stealer, VenomRAT, AsyncRAT, Danabot, and NetSupport RAT. Organizations in North America, Oceania, Asia, and Europe are targeted. The threat actor's evolving tactics demonstrate attempts to bypass conventional security measures.", "modified": "2025-04-12T16:05:48.385000", "created": "2025-03-13T16:57:00.629000", "tags": [ "venomrat", "lumma stealer", "netsupport rat", "asyncrat", "clickfix", "credential-stealing", "phishing", "booking.com", "danabot", "xworm" ], "references": [ "https://www.microsoft.com/en-us/security/blog/2025/03/13/phishing-campaign-impersonates-booking-com-delivers-a-suite-of-credential-stealing-malware/" ], "public": 1, "adversary": "Storm-1865", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "XWorm", "display_name": "XWorm", "target": null }, { "id": "Lumma stealer", "display_name": "Lumma stealer", "target": null }, { "id": "VenomRAT", "display_name": "VenomRAT", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Danabot", "display_name": "Danabot", "target": null }, { "id": "NetSupport RAT", "display_name": "NetSupport RAT", "target": null } ], "attack_ids": [ { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1123", "name": "Audio Capture", "display_name": "T1123 - Audio Capture" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1559", "name": "Inter-Process Communication", "display_name": "T1559 - Inter-Process Communication" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" } ], "industries": [ "Hospitality" ], "TLP": "white", "cloned_from": null, "export_count": 66, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 3, "domain": 2 }, "indicator_count": 9, "is_author": false, "is_subscribing": null, "subscriber_count": 386552, "modified_text": "414 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "697a9015a6b6986b45485d39", "name": "EbeeJan2026 Pt5", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-02-27T22:03:31.816000", "created": "2026-01-28T22:39:17.725000", "tags": [ "filehashsha256", "filehashmd5", "filehashsha1" ], "references": [ "IOCs.csv" ], "public": 1, "adversary": "PhantomCore, Campaign Targeting Leveraging VS Code, Watering Hole Attack Targets EmEditor Users", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 3, "FileHash-MD5": 212, "FileHash-SHA1": 212, "FileHash-SHA256": 338, "URL": 16, "domain": 109, "email": 7, "hostname": 83 }, "indicator_count": 980, "is_author": false, "is_subscribing": null, "subscriber_count": 42, "modified_text": "92 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6977c393433ff631bf86e558", "name": "Hackers Use \u2018rn\u2019 Typo Trick in New Marriott Phishing Campaign", "description": "", "modified": "2026-01-26T19:42:11.435000", "created": "2026-01-26T19:42:11.435000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 5 }, "indicator_count": 5, "is_author": false, "is_subscribing": null, "subscriber_count": 501, "modified_text": "124 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69776bd5e5c5a64b0cbddf28", "name": "Hackers Use \u2018rn\u2019 Typo Trick to Impersonate Microsoft and Marriott in New Phishing Attack", "description": "A sophisticated phishing campaign is targeting customers of Marriott International and Microsoft, using a typo trick that mimics the company\u2019s official logo and layout, according to security firm Netcraft.", "modified": "2026-01-26T13:27:49.949000", "created": "2026-01-26T13:27:49.949000", "tags": [ "microsoft", "marriott", "netcraft", "microsoft users", "fire harley", "sugarman", "anagram", "microsoft logo", "difference", "compromise", "look" ], "references": [ "https://cybersecuritynews.com/rn-typo-phishing-attack/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [ "Hotel" ], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 5 }, "indicator_count": 5, "is_author": false, "is_subscribing": null, "subscriber_count": 863, "modified_text": "125 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69766f2d6725a71097054cd9", "name": "Hackers Use rn Typo Trick to Impersonate Microsoft and Marriott in New Phishing Attack", "description": "A recent phishing campaign has emerged that employs a sophisticated technique known as \"homoglyph\" attacks, targeting customers of both Marriott International and Microsoft. Attackers are utilizing a typographical trick that replaces the letter \"m\" with the combination of \"rn\" (the characters r and n), creating fraudulent domains that closely mimic the legitimate websites of these well-known brands.\n\nIn the case of Marriott International, a security firm named Netcraft has reported the discovery of several malicious domains specifically designed to impersonate the hotel chain. These fake websites aim to deceive users into revealing their loyalty account credentials or other sensitive personal information related to hotel bookings and guest data. The close resemblance to legitimate domains raises the risk of unsuspecting customers falling victim to these phishing efforts.", "modified": "2026-01-25T19:29:49.547000", "created": "2026-01-25T19:29:49.547000", "tags": [ "microsoft", "marriott", "netcraft", "microsoft users", "fire harley", "anagram", "microsoft logo", "difference", "compromise", "look", "critical", "marriott hotels", "login", "high", "mobile" ], "references": [ "https://cybersecuritynews.com/rn-typo-phishing-attack/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" } ], "industries": [ "Hotel" ], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 5 }, "indicator_count": 5, "is_author": false, "is_subscribing": null, "subscriber_count": 539, "modified_text": "125 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6926add1749cbe0cf32d328b", "name": "Sophisticated Typosquatting Technique Uses \u2018rn\u2019 Illusion to Deceive Microsoft Users", "description": "", "modified": "2025-11-26T07:35:45.607000", "created": "2025-11-26T07:35:45.607000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "vijay2752", "id": "368558", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 2 }, "indicator_count": 2, "is_author": false, "is_subscribing": null, "subscriber_count": 21, "modified_text": "186 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67d4080c7132d93dd7271982", "name": "Phishing campaign impersonates Booking .com, delivers a suite of credential-stealing malware | Microsoft Security Blog", "description": "", "modified": "2025-04-13T10:01:22.721000", "created": "2025-03-14T10:42:20.540000", "tags": [ "microsoft", "asim", "clickfix", "storm1865", "office", "sha256", "copilot", "trojan", "iocs", "dstipaddr", "lumma stealer", "february", "venomrat", "asyncrat", "danabot", "powershell", "contact", "defender", "suspicious", "look", "sentinel", "model", "malware", "twitter" ], "references": [ "https://www.microsoft.com/en-us/security/blog/2025/03/13/phishing-campaign-impersonates-booking-com-delivers-a-suite-of-credential-stealing-malware/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 32, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3, "FileHash-SHA1": 3, "FileHash-SHA256": 3, "domain": 2 }, "indicator_count": 11, "is_author": false, "is_subscribing": null, "subscriber_count": 863, "modified_text": "413 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67d38fdea0268f4a1d6f1916", "name": "IOC&TTP - Phishing campaign impersonates Booking .com, delivers a suite of credential-stealing malware", "description": "\u81ea2024\u5e7412\u6708\u8d77\uff0c\u5fae\u8f6f\u5a01\u80c1\u60c5\u62a5\u56e2\u961f\u53d1\u73b0\u4e86\u4e00\u573a\u9488\u5bf9Booking.com\u7684\u7f51\u7edc\u9493\u9c7c\u6d3b\u52a8\uff0c\u8be5\u6d3b\u52a8\u5229\u7528\u793e\u4f1a\u5de5\u7a0b\u6280\u672fClickFix\uff0c\u5411\u53d7\u5bb3\u8005\u6295\u653e\u591a\u4e2a\u51ed\u636e\u7a83\u53d6\u6076\u610f\u8f6f\u4ef6\uff0c\u4ee5\u8fdb\u884c\u91d1\u878d\u6b3a\u8bc8\u548c\u6570\u636e\u7a83\u53d6\u3002\u76ee\u524d\uff0c\u8be5\u6d3b\u52a8\u4ecd\u5728\u6301\u7eed\u3002\n\n\u8be5\u653b\u51fb\u4e3b\u8981\u9488\u5bf9\u5317\u7f8e\u3001\u6b27\u6d32\u3001\u5357\u4e9a\u3001\u4e1c\u5357\u4e9a\u548c\u5927\u6d0b\u6d32\u7684\u9152\u5e97\u884c\u4e1a\uff0c\u653b\u51fb\u8005\u5192\u5145Booking.com\u5411\u76f8\u5173\u4f01\u4e1a\u5458\u5de5\u53d1\u9001\u4f2a\u9020\u90ae\u4ef6\uff0c\u8bf1\u5bfc\u4ed6\u4eec\u70b9\u51fb\u6076\u610f\u94fe\u63a5\u6216\u6253\u5f00\u5e26\u6709\u6076\u610f\u94fe\u63a5\u7684PDF\u9644\u4ef6\u3002\u8fd9\u4e9b\u9493\u9c7c\u9875\u9762\u901a\u5e38\u6a21\u62dfBooking.com\u7f51\u7ad9\uff0c\u5e76\u5229\u7528**\u4f2a\u9020\u7684\u9a8c\u8bc1\u7801\uff08CAPTCHA\uff09**\u589e\u5f3a\u53ef\u4fe1\u5ea6\u3002\n\n\u5728ClickFix\u6280\u672f\u7684\u5b9e\u65bd\u4e2d\uff0c\u653b\u51fb\u8005\u5f15\u5bfc\u7528\u6237\u5728Windows\u7cfb\u7edf\u4e2d\u4f7f\u7528\u5feb\u6377\u952e\u6253\u5f00\u201c\u8fd0\u884c\u201d\u7a97\u53e3\uff0c\u7136\u540e\u590d\u5236\u5e76\u6267\u884c\u4e00\u4e2a\u7531\u9493\u9c7c\u9875\u9762\u63d0\u4f9b\u7684\u6076\u610f\u547d\u4ee4\u3002\u8be5\u547d\u4ee4\u901a\u5e38\u901a\u8fc7mshta.exe\u4e0b\u8f7d\u548c\u6267\u884c\u6076\u610f\u4ee3\u7801\uff0c\u4ece\u800c\u611f\u67d3\u76ee\u6807\u8bbe\u5907\u3002", "modified": "2025-04-12T16:05:48.385000", "created": "2025-03-14T02:09:34.286000", "tags": [ "venomrat", "lumma stealer", "netsupport rat", "asyncrat", "clickfix", "credential-stealing", "phishing", "booking.com", "danabot", "xworm" ], "references": [ "https://www.microsoft.com/en-us/security/blog/2025/03/13/phishing-campaign-impersonates-booking-com-delivers-a-suite-of-credential-stealing-malware/" ], "public": 1, "adversary": "Storm-1865", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "XWorm", "display_name": "XWorm", "target": null }, { "id": "Lumma stealer", "display_name": "Lumma stealer", "target": null }, { "id": "VenomRAT", "display_name": "VenomRAT", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Danabot", "display_name": "Danabot", "target": null }, { "id": "NetSupport RAT", "display_name": "NetSupport RAT", "target": null } ], "attack_ids": [ { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1123", "name": "Audio Capture", "display_name": "T1123 - Audio Capture" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1559", "name": "Inter-Process Communication", "display_name": "T1559 - Inter-Process Communication" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" } ], "industries": [ "Hospitality" ], "TLP": "white", "cloned_from": "67d30e5c763aea4dce897014", "export_count": 32, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 3, "domain": 2 }, "indicator_count": 9, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "414 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67d8f41525c7fe47c744f49b", "name": "Phishing campaign impersonates Booking .com, delivers a suite of credential-stealing malware", "description": "", "modified": "2025-04-12T16:05:48.385000", "created": "2025-03-18T04:18:29.752000", "tags": [ "venomrat", "lumma stealer", "netsupport rat", "asyncrat", "clickfix", "credential-stealing", "phishing", "booking.com", "danabot", "xworm" ], "references": [ "https://www.microsoft.com/en-us/security/blog/2025/03/13/phishing-campaign-impersonates-booking-com-delivers-a-suite-of-credential-stealing-malware/" ], "public": 1, "adversary": "Storm-1865", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "XWorm", "display_name": "XWorm", "target": null }, { "id": "Lumma stealer", "display_name": "Lumma stealer", "target": null }, { "id": "VenomRAT", "display_name": "VenomRAT", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Danabot", "display_name": "Danabot", "target": null }, { "id": "NetSupport RAT", "display_name": "NetSupport RAT", "target": null } ], "attack_ids": [ { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1123", "name": "Audio Capture", "display_name": "T1123 - Audio Capture" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1559", "name": "Inter-Process Communication", "display_name": "T1559 - Inter-Process Communication" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" } ], "industries": [ "Hospitality" ], "TLP": "white", "cloned_from": "67d30e5c763aea4dce897014", "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 3, "domain": 2 }, "indicator_count": 9, "is_author": false, "is_subscribing": null, "subscriber_count": 277, "modified_text": "414 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "micros0ft.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "micros0ft.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780249251.1513333 }