CyberHappenings logo
Home Browse About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Global Phishing Campaign Installs Multiple RATs via JavaScript Droppers

First reported
Last updated
4 unique sources, 8 articles

Summary

Hide ▲

A rapidly spreading phishing campaign is targeting Windows users and Booking.com partner accounts worldwide, stealing credentials and deploying various remote access trojans (RATs) using malicious JavaScript files and PowerShell commands. The campaign affects multiple sectors, including manufacturing, technology, healthcare, construction, retail/hospitality, and the hospitality industry. The attackers use personalized phishing pages and socially engineered scenarios to lure victims into downloading the malware. The campaign involves multiple stages, including an initial obfuscated script, a spoofed site, and the deployment of RATs such as PureHVNC, DCRat, and Babylon RAT. The attackers employ sophisticated techniques to evade detection and maintain long-term access to compromised networks. The campaign has been observed in countries including Austria, Belarus, Canada, Egypt, India, and Pakistan. The phishing emails use themes related to voicemail messages, purchases, and banking verification issues to deceive recipients into clicking on malicious links. The initial payload is a ZIP archive containing an obfuscated JavaScript file that acts as a dropper for UpCrypter, which functions as a conduit for various RATs. The malware uses steganography to embed the final payload within a harmless-looking image and includes anti-analysis and anti-virtual machine checks to evade detection. The malware is executed without writing to the file system, minimizing forensic traces. The campaign is part of a larger trend where threat actors abuse legitimate services for phishing attacks. A new campaign impersonates Ukrainian government agencies to deliver CountLoader, which drops Amatera Stealer and PureMiner. The phishing emails contain malicious SVG files designed to trick recipients into opening harmful attachments. The SVG files initiate the download of a password-protected ZIP archive containing a CHM file, which activates CountLoader. CountLoader drops various payloads, including Cobalt Strike, AdaptixC2, and PureHVNC RAT, and in this case, Amatera Stealer and PureMiner. Amatera Stealer gathers system information, collects files, and harvests data from various applications and browsers. A Vietnamese-speaking threat group uses phishing emails with copyright infringement notice themes to deploy PXA Stealer, which evolves into PureRAT. PureRAT is a modular, professionally developed backdoor that gives attackers complete control over a compromised host. The campaign demonstrates a progression from simple phishing lures to multi-layered infection sequences involving defense evasion and credential theft. The attack chain begins with a ZIP archive containing a legitimate PDF reader executable and a malicious DLL, using DLL sideloading to execute the next payload. The malware employs multiple stages of obfuscation, including Base64 encoding, steganography, and anti-analysis techniques to evade detection. The campaign uses a combination of Python scripts and .NET executables to achieve its objectives, demonstrating a progression from simple phishing lures to multi-layered infection sequences. The final payload, PureRAT, is a modular, professionally developed backdoor that provides complete control over a compromised host. The threat actor uses Telegram bot descriptions and URL shorteners to dynamically fetch and execute the next payload, allowing for flexible updates to the attack chain. The malware includes defense evasion techniques such as AMSI patching and ETW unhooking to avoid detection by security tools. The campaign is attributed to a Vietnamese-speaking threat group associated with the PXA Stealer malware family, using infrastructure traced to Vietnam. The threat actor demonstrates proficiency in multiple languages and techniques, including Python bytecode loaders, WMI enumeration, .NET process hollowing, and reflective DLL loading. The pivot from a custom-coded stealer to a commercial RAT like PureRAT lowers the barrier to entry for the attacker, providing access to a stable, feature-rich toolkit. A large-scale phishing operation has been targeting Booking.com partner accounts since at least April 2025. The campaign exploits hotel systems and customer data, using a sophisticated malware campaign. The intrusion begins with malicious emails sent from legitimate hotel accounts or impersonating Booking.com, leading victims to execute a PowerShell command that downloads PureRAT. PureRAT allows attackers to remotely control infected machines, steal credentials, capture screenshots, and exfiltrate sensitive data. The malware initially targets hotel staff to steal login credentials for booking platforms, which are then used in fraudulent schemes. The campaign demonstrates the growing professionalization of cybercrime targeting the hospitality industry, with hundreds of malicious domains active as of October 2025. The firm continues to monitor adversary infrastructure and improve detection methods to help protect booking platforms and their customers. Researchers have uncovered a broad campaign in which threat actors target hotels with ClickFix attacks to steal customer data as part of ongoing attacks against the hospitality sector that includes secondary attacks against the establishments' customers. The initial attack against hotels uses a compromised email account to send malicious messages to multiple hotel establishments. In some instances, attackers alter the "From" header to impersonate Booking.com, while subject lines are often related to guest matters, including references to last-minute booking, listings, reservations, and the like. The attack chain then uses a redirection URL that ultimately leads to a ClickFix reCAPTACHA challenge in which users are prompted to copy a malicious PowerShell command. This command eventually leads to the deployment of infostealing and remote access Trojan (RAT) malware. The campaign has led to secondary attacks against hotel customers, with attackers contacting them via WhatsApp or email using legitimate reservation details of the target. Attackers then ask victims to validate banking details by visiting a URL, which leads to the phishing page that mimics Booking.com’s typography and layout and which harvests the victim’s banking information. A Russian-speaking threat behind an ongoing, mass phishing campaign has registered more than 4,300 domain names since the start of the year. The activity, per Netcraft security researcher Andrew Brandt, is designed to target customers of the hospitality industry, specifically hotel guests who may have travel reservations with spam emails. The campaign is said to have begun in earnest around February 2025. Of the 4,344 domains tied to the attack, 685 domains contain the name "Booking", followed by 18 with "Expedia," 13 with "Agoda," and 12 with "Airbnb," indicating an attempt to target all popular booking and rental platforms. The ongoing campaign employs a sophisticated phishing kit that customizes the page presented to the site visitor depending on a unique string in the URL path when the target first visits the website. The customizations use the logos from major online travel industry brands, including Airbnb and Booking.com. The attack begins with a phishing email urging recipients to click on a link to confirm their booking within the next 24 hours using a credit card. Should they take the bait, the victims are taken to a fake site instead after initiating a chain of redirects. These bogus sites follow consistent naming patterns for their domains, featuring phrases like confirmation, booking, guestcheck, cardverify, or reservation to give them an illusion of legitimacy. The pages support 43 different languages, allowing the threat actors to cast a wide net. The page then instructs the victim to pay a deposit for their hotel reservation by entering their card information. In the event that any user directly attempts to access the page without a unique identifier called AD_CODE, they are greeted with a blank page. The bogus sites also feature a fake CAPTCHA check that mimics Cloudflare to deceive the target. The ongoing campaign employs a sophisticated phishing kit that customizes the page presented to the site visitor depending on a unique string in the URL path when the target first visits the website. The customizations use the logos from major online travel industry brands, including Airbnb and Booking.com. The attack begins with a phishing email urging recipients to click on a link to confirm their booking within the next 24 hours using a credit card. Should they take the bait, the victims are taken to a fake site instead after initiating a chain of redirects. These bogus sites follow consistent naming patterns for their domains, featuring phrases like confirmation, booking, guestcheck, cardverify, or reservation to give them an illusion of legitimacy. The pages support 43 different languages, allowing the threat actors to cast a wide net. The page then instructs the victim to pay a deposit for their hotel reservation by entering their card information. In the event that any user directly attempts to access the page without a unique identifier called AD_CODE, they are greeted with a blank page. The bogus sites also feature a fake CAPTCHA check that mimics Cloudflare to deceive the target. The campaign uses a unique identifier called AD_CODE to ensure consistent branding across pages. The phishing pages attempt to process a transaction in the background while displaying a support chat window for 3D Secure verification. The identity of the threat group remains unknown, but Russian is used in source code comments and debugger output. The campaign is linked to a previous phishing campaign targeting the hospitality industry with PureRAT malware. The phishing kit is a fully automated, multi-stage platform designed for efficiency and stealth. The phishing kit employs CAPTCHA filtering to evade security scans and uses Telegram bots to exfiltrate stolen credentials and payment information.

Timeline

  1. 06.11.2025 18:00 4 articles · 9d ago

    Phishing Campaign Targets Booking.com Partner Accounts

    A large-scale phishing operation has been targeting Booking.com partner accounts since at least April 2025. The campaign exploits hotel systems and customer data, using a sophisticated malware campaign. The intrusion begins with malicious emails sent from legitimate hotel accounts or impersonating Booking.com, leading victims to execute a PowerShell command that downloads PureRAT. PureRAT allows attackers to remotely control infected machines, steal credentials, capture screenshots, and exfiltrate sensitive data. The malware initially targets hotel staff to steal login credentials for booking platforms, which are then used in fraudulent schemes. The campaign demonstrates the growing professionalization of cybercrime targeting the hospitality industry, with hundreds of malicious domains active as of October 2025. The campaign uses compromised email accounts to send malicious messages to multiple hotel establishments, employing ClickFix social engineering tactics to deploy PureRAT. The end goal is to steal credentials from compromised systems to gain unauthorized access to booking platforms like Booking.com or Expedia. The campaign has been active since at least April 2025 and operational as of early October 2025. The article also highlights the use of Telegram bots and criminal forums to buy and sell Booking.com logs, reflecting the professionalization of cybercrime targeting the hospitality industry. A Russian-speaking threat behind an ongoing, mass phishing campaign has registered more than 4,300 domain names since the start of the year. The activity, per Netcraft security researcher Andrew Brandt, is designed to target customers of the hospitality industry, specifically hotel guests who may have travel reservations with spam emails. The campaign is said to have begun in earnest around February 2025. Of the 4,344 domains tied to the attack, 685 domains contain the name "Booking", followed by 18 with "Expedia," 13 with "Agoda," and 12 with "Airbnb," indicating an attempt to target all popular booking and rental platforms. The ongoing campaign employs a sophisticated phishing kit that customizes the page presented to the site visitor depending on a unique string in the URL path when the target first visits the website. The customizations use the logos from major online travel industry brands, including Airbnb and Booking.com. The attack begins with a phishing email urging recipients to click on a link to confirm their booking within the next 24 hours using a credit card. Should they take the bait, the victims are taken to a fake site instead after initiating a chain of redirects. These bogus sites follow consistent naming patterns for their domains, featuring phrases like confirmation, booking, guestcheck, cardverify, or reservation to give them an illusion of legitimacy. The pages support 43 different languages, allowing the threat actors to cast a wide net. The page then instructs the victim to pay a deposit for their hotel reservation by entering their card information. In the event that any user directly attempts to access the page without a unique identifier called AD_CODE, they are greeted with a blank page. The bogus sites also feature a fake CAPTCHA check that mimics Cloudflare to deceive the target. The ongoing campaign employs a sophisticated phishing kit that customizes the page presented to the site visitor depending on a unique string in the URL path when the target first visits the website. The customizations use the logos from major online travel industry brands, including Airbnb and Booking.com. The attack begins with a phishing email urging recipients to click on a link to confirm their booking within the next 24 hours using a credit card. Should they take the bait, the victims are taken to a fake site instead after initiating a chain of redirects. These bogus sites follow consistent naming patterns for their domains, featuring phrases like confirmation, booking, guestcheck, cardverify, or reservation to give them an illusion of legitimacy. The pages support 43 different languages, allowing the threat actors to cast a wide net. The page then instructs the victim to pay a deposit for their hotel reservation by entering their card information. In the event that any user directly attempts to access the page without a unique identifier called AD_CODE, they are greeted with a blank page. The bogus sites also feature a fake CAPTCHA check that mimics Cloudflare to deceive the target. The campaign uses a unique identifier called AD_CODE to ensure consistent branding across pages. The phishing pages attempt to process a transaction in the background while displaying a support chat window for 3D Secure verification. The identity of the threat group remains unknown, but Russian is used in source code comments and debugger output. The campaign is linked to a previous phishing campaign targeting the hospitality industry with PureRAT malware. The phishing kit is a fully automated, multi-stage platform designed for efficiency and stealth. The phishing kit employs CAPTCHA filtering to evade security scans and uses Telegram bots to exfiltrate stolen credentials and payment information.

    Show sources
    Open in new tab
  2. 26.09.2025 19:40 3 articles · 1mo ago

    Phishing Campaign Targets Ukraine and Vietnam with PureRAT and Amatera Stealer

    The campaign is attributed to a Vietnamese-speaking threat group associated with the PXA Stealer malware family, using infrastructure traced to Vietnam. The threat actor demonstrates proficiency in multiple languages and techniques, including Python bytecode loaders, WMI enumeration, .NET process hollowing, and reflective DLL loading. The pivot from a custom-coded stealer to a commercial RAT like PureRAT lowers the barrier to entry for the attacker, providing access to a stable, feature-rich toolkit. The attack chain delivers infostealing malware that gathers various data from the compromised system, including key system information, and downloads files that lead to the launch of a RAT known as "PureRAT" for further malicious activity. The infostealer also reports status updates to its command-and-control (C2) infrastructure at each step of the attack to indicate the successful progression of the action.

    Show sources
    Open in new tab
  3. 25.08.2025 18:13 7 articles · 2mo ago

    Rapidly Spreading Phishing Campaign Installs Multiple RATs

    The campaign has expanded to target hotels with ClickFix attacks to steal customer data. The initial attack against hotels uses a compromised email account to send malicious messages to multiple hotel establishments. In some instances, attackers alter the "From" header to impersonate Booking.com, while subject lines are often related to guest matters. The attack chain then uses a redirection URL that ultimately leads to a ClickFix reCAPTACHA challenge in which users are prompted to copy a malicious PowerShell command. This command eventually leads to the deployment of infostealing and remote access Trojan (RAT) malware. The campaign has led to secondary attacks against hotel customers, with attackers contacting them via WhatsApp or email using legitimate reservation details of the target. Attackers then ask victims to validate banking details by visiting a URL, which leads to the phishing page that mimics Booking.com’s typography and layout and which harvests the victim’s banking information. The campaign demonstrates the growing effectiveness of threat actors in social engineering and the use of commodity malware on cybercrime forums.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Scattered Spider, ShinyHunters, and LAPSUS$ Form Unified Cyber Extortion Collective

A new cyber extortion collective, Scattered LAPSUS$ Hunters (SLH), has emerged as a unified alliance combining Scattered Spider, ShinyHunters, and LAPSUS$. The group is leveraging the reputational capital of these three high-profile criminal brands to create a consolidated threat identity. SLH is using Telegram as a command hub and brand engine, cycling through public channels to maintain a persistent presence. The alliance aims to fill the void left by the collapse of BreachForums and attract displaced operators with an affiliate-driven extortion model. SLH has created 16 Telegram channels since August 8, 2025, and offers an extortion-as-a-service (EaaS) model. The group is part of a larger cybercriminal enterprise known as The Com and has associations with other threat clusters, including CryptoChameleon and Crimson Collective. SLH's activities blend financially motivated cybercrime and attention-driven hacktivism, with a mature grasp of perception and legitimacy within the cybercriminal ecosystem. The group has hinted at developing a custom ransomware family named Sh1nySp1d3r and is aligned with DragonForce, functioning as an affiliate to break into targets through social engineering techniques.

Open in new tab

North Korean Threat Actor BlueNoroff Targets Web3 Sector

The North Korean threat actor BlueNoroff, also known as APT38 and TA444, has launched two new campaigns targeting the Web3 sector. These campaigns, dubbed GhostCall and GhostHire, focus on executives, Web3 developers, and blockchain professionals. The attacks use social engineering techniques on platforms like Telegram and LinkedIn to initiate multi-stage malware chains that compromise Windows, Linux, and macOS hosts. BlueNoroff is a financially motivated sub-cluster of the Lazarus Group, North Korea's state-sponsored cyber unit linked to the Reconnaissance General Bureau (RGB). The group is known for the long-running SnatchCrypto campaign, which has evolved to include comprehensive data acquisition across a range of assets. The harvested data is used to facilitate subsequent attacks, enabling supply chain attacks and leveraging established trust relationships to impact a broader range of users.

Open in new tab

HttpTroy Backdoor Deployed in Targeted South Korean Cyberattack

The North Korea-linked threat actor Kimsuky distributed a new backdoor named HttpTroy in a targeted spear-phishing attack against a South Korean entity. The attack involved a ZIP file disguised as a VPN invoice, which contained a multi-stage malware chain. HttpTroy enables file transfers, screenshot capture, command execution, and other malicious activities. The malware uses advanced obfuscation techniques to evade detection. The attack was detected by Gen Digital, which did not specify the exact timeline of the incident. The initial vector is suspected to be a phishing email, as no known vulnerabilities were exploited. The malware communicates with a command-and-control server over HTTP POST requests. The attack chain includes a dropper, a loader (MemLoad), and the final backdoor (HttpTroy). The ZIP file contained a Microsoft Windows screensaver (.scr) file, which displayed a PDF invoice written in Korean and loaded the attack chain until the backdoor program was running. HttpTroy supports a wide range of remote actions and increases stealth by encrypting its communications, obfuscating payloads, and executing code in memory. The attack is part of a broader campaign by North Korean state-sponsored groups targeting governments in the Asia-Pacific region, especially South Korea, as well as targets in the United States and Europe. Kimsuky has previously used password-protected ZIP files and AI-generated deepfake photos in their attacks. The groups use legitimate services and Windows processes to dodge security tools and different encryption methods for each step in a multistage infection chain. They also use techniques such as memory-resident execution and dynamic API resolution to help the malicious code avoid detection.

Open in new tab

Memento Labs linked to Chrome zero-day exploitation in Operation ForumTroll

Operation ForumTroll, discovered in March 2025, targeted Russian organizations using a zero-day vulnerability in Google Chrome (CVE-2025-2783). The campaign, also tracked as TaxOff/Team 46 by Positive Technologies and Prosperous Werewolf by BI.ZONE, delivered malware linked to the Italian spyware vendor Memento Labs. The attacks used phishing emails with malicious links to infect victims, targeting media outlets, universities, research centers, government organizations, financial institutions, and other organizations in Russia and Belarus. The malware, identified as LeetAgent and Dante, was used to steal data and maintain persistence on compromised systems. Memento Labs, formed after InTheCyber Group acquired Hacking Team, presented its Dante spyware at a conference in 2023. The malware was used in attacks dating back to at least 2022. The attacks involved sophisticated techniques to ensure only targeted victims were compromised. The zero-day vulnerability (CVE-2025-2783) was discovered and reported to Google by researchers at Kaspersky Lab earlier in 2025. The exploit bypassed Chrome's sandbox protections by exploiting a logic vulnerability in Chrome caused by an obscure quirk in the Windows OS. The exploit used pseudo handles to disable sandbox functionality, allowing unauthorized access to privileged processes. The exploit represents a new class of vulnerabilities that could affect other applications and Windows services. The group known as Mem3nt0 mori, also referred to as ForumTroll APT, is linked to Operation ForumTroll. The attacks began in March 2025 with highly personalized phishing emails inviting victims to the Primakov Readings forum. The flaw in Chrome stemmed from a logical oversight in Windows' handling of pseudo handles, allowing attackers to execute code in Chrome's browser process. Google patched the issue in version 134.0.6998.177/.178. Firefox developers found a related issue in their browser, addressed as CVE-2025-2857. Kaspersky's researchers concluded that Mem3nt0 mori leveraged Dante-based components in the ForumTroll campaign, marking the first observed use of this commercial spyware in the wild. The discovery underscores ongoing risks from state-aligned and commercial surveillance vendors. Kaspersky urged security researchers to examine other software and Windows services for similar pseudo-handle vulnerabilities.

Open in new tab

AI Sidebar Spoofing Vulnerability in Atlas and Comet Browsers

Researchers from NeuralTrust have discovered a vulnerability in the OpenAI Atlas browser that allows for jailbreaking through the omnibox. This vulnerability can trick users into following malicious instructions, leading to potential data breaches and unauthorized actions. The attack works by disguising a prompt instruction as a URL, which is then treated as a trusted user intent. This can override user intent, trigger cross-domain actions, and bypass safety layers. The vulnerability affects the latest versions of the Atlas browser. Researchers demonstrated two realistic attack scenarios: a copy-link trap to phish credentials and destructive instructions to delete files. The attack requires only 'host' and 'storage' permissions, which are common for productivity tools. Users are advised to be cautious when using these browsers for sensitive activities and to restrict their use to non-sensitive tasks until further security measures are implemented. Earlier, researchers from SquareX discovered a similar vulnerability in OpenAI's Atlas and Perplexity's Comet browsers that allows for AI Sidebar Spoofing. This attack can trick users into following malicious instructions, leading to potential data breaches and unauthorized actions. The vulnerability affects the latest versions of both browsers and requires only 'host' and 'storage' permissions. Users are advised to be cautious and restrict the use of these browsers to non-sensitive activities.

Open in new tab