Phishing campaign impersonates Booking.com, delivers a suite of credential-stealing malware

A phishing campaign targeting organizations in the hospitality industry has been identified, impersonating Booking.com and using the ClickFix social engineering technique to deliver multiple credential-stealing malware. The campaign, tracked as Storm-1865, targets individuals likely to work with Booking.com in North America, Oceania, Asia, and Europe. The attack uses fake emails and webpages to trick users into executing malicious commands, leading to the download of various malware families including XWorm, Lumma stealer, VenomRAT, AsyncRAT, Danabot, and NetSupport RAT. The campaign aims to steal financial data and credentials for fraudulent use, showing an evolution in the threat actor's tactics to bypass conventional security measures.

Pulse ID: 67fb93e8ebc93d6ded395f39
Pulse Link: https://otx.alienvault.com/pulse/67fb93e8ebc93d6ded395f39
Pulse Author: AlienVault
Created: 2025-04-13 10:37:28

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Asia #AsyncRAT #CyberSecurity #DanaBot #Email #Europe #FinancialData #Hospital #ICS #InfoSec #LummaStealer #Malware #NetSupport #NetSupportRAT #NorthAmerica #OTX #OpenThreatExchange #Phishing #RAT #SocialEngineering #Venom #Worm #XWorm #bot #AlienVault

2025-03-26 (Wednesday): #SmartApeSG traffic for a fake browser update page leads to a #NetSupport #RAT infection. A zip archive for #StealC sent over the #NetSupportRAT C2 traffic.

The #StealC infection uses DLL side-loading by a legitimate EXE to #sideload the malicious DLL.

A #pcap from an infection, the associated #malware samples, and #IOCs are available at at https://www.malware-traffic-analysis.net/2025/03/26/index.html

Важко це визнавати, але рівень технічних спеціалістів серед провайдерів швидко падає.

І це я пишу не про провайдерів домосєток. 😟

#ukraine #netsupport

#webshell #opendir #netsupport #rat at:

https://appointedtimeagriculture\.com/wp-includes/blocks/post-content/

GatewayAddress=95.179.158.213:443
RADIUSSecret=dgAAAPpMkI7ke494fKEQRUoablcA

2024-12-24 (Tuesday)

#SmartApeSG infection chain starting with we-careu[.]xyz/work/original.js from compromised site.

Ends with #NetSupport #RAT using the same 194.180.191[.]64 C2 address we've seen since November.

2024-12-17 (Tuesday): #SmartApeSG injected script leads to fake browser update page, and that page leads to a #NetSupport #RAT infection.

Just like my last post here, there are 2 injected scripts in a page from the compromised site, one using using depostsolo[.]biz and one using tactlat[.]xyz.

A #pcap of the infection traffic, associated malware samples and more information is available at https://www.malware-traffic-analysis.net/2024/12/17/index.html

NetSupportRAT C2 for this campaign continues to be 194.180.191[.]64 since as early as 2024-11-22.

#FakeUpdates #NetSupportRAT

2024-12-13 (Friday): ww.anceltech[.]com compromised with #SmartApeSG leading to #NetSupport #RAT

Saw 2 injected scripts, one for jitcom[.]info and best-net[.]biz.

Pivoting on best-net[.]biz in URLscan show signs of six other possibly compromised sites: https://urlscan.io/search/#best-net.biz

Those possibly compromised sites are:

- destinationbedfordva[.]com
- exceladept[.]com
- thefilmverdict[.]com
- thenapministry[.]com
- www.estatesale-finder[.]com
- www.freepetchipregistry[.]com

I haven't tried them yet to confirm, but that's always been the case when I pivot on the SmartApeSG domains in URLscan.

#NetSupportRAT C2 for this campaign since as early as 2024-11-22 has been 194.180.191[.]64

2024-12-11 (Wednesday): Zip archive containing #NetSupport #RAT (#NetSupportRAT) package hosted at hxxps[:]//homeservicephiladelphia[.]info/work/yyy.zip

The C2 for this NetSupport package is 194.180.191[.]64, which is a known NetSupport C2 active since 2024-11-22, per ThreatFox: https://threatfox.abuse.ch/ioc/1346763/

Nothing new on the NetSupport side. I'm sure that hosting URL is part of an infection chain, but I don't know what's leading to it.

The Russian cybercrime group FIN7 ran a network of fake AI undressing sites that delivered credential stealing malware to those who uploaded pictures. I gotta say, this is one group of cybercrime victims that I don't feel sorry for.

https://www.silentpush.com/blog/fin7-malware-deepfake-ai-honeypot/

#FIN7 #Russia #Cybercrime #NetSupport #NetSupportRAT #RAT #Malware #CredentialTheft #AI #Deepfake #Deepfakes #DeepNude #DeepNueds #SilentPush