Threat Intelligence Database

The hospitality and travel sector experienced a dramatic surge in cyberattacks, with organizations facing an average of 2,291 weekly attacks in May 2026, representing a 24% year-over-year increase and a cumulative 122% rise since 2023. Cybercriminals registered 47,318 travel-related domains in May 2026 alone, with one in every 112 classified as malicious or suspicious. Three coordinated bulk-registration campaigns were identified, including sequential hotel-lure domains, American Express and Lloyds Travel Choice impersonations, and widespread Fora Travel brand abuse across 108 TLDs. Active phishing operations target major platforms including Booking.com, Airbnb, and Skyscanner through lookalike domains designed to harvest credentials and payment information. These attacks deliberately intensify during peak summer booking season when travelers are distracted and eager for deals, exploiting the industry's high volume of personal and financial data processing.

A sophisticated ClickFix campaign was detected in mid-March 2026, beginning with a malicious webpage impersonating Booking.com's visual identity with a fake CAPTCHA. The attack leverages social engineering to trick victims into executing a PowerShell command that downloads and runs a script directly in memory. The JavaScript code automatically copies malicious commands to the clipboard and intercepts copy events. Once executed, the PowerShell dropper performs system fingerprinting, downloads a ZIP payload from a remote server, deploys it to user directories, establishes persistence through registry keys and scheduled tasks, and executes the final payload. The campaign demonstrates well-structured code with fallback mechanisms and real-time telemetry via Telegram, suggesting the use of a ready-to-use attack kit.

For the latest discoveries in cyber research for the week of 20th April, please download our Threat Intelligence Bulletin. TOP ATTACKS AND BREACHES Booking.com, the Amsterdam-based travel platform, has confirmed a data breach after unauthorized parties accessed reservation data linked to some customers. Exposed information included names, email addresses, phone numbers, physical addresses, and booking […] The post 20th April – Threat Intelligence Report appeared first on Check Point Research .

The Surbma | Booking.com Shortcode WordPress plugin up to version 2.1 contains a stored cross-site scripting (XSS) vulnerability. This flaw arises from insufficient sanitization and escaping of user-supplied attributes in the 'surbma-bookingcom' shortcode. Authenticated users with contributor-level access or higher can inject malicious scripts that execute when other users view the affected pages. The vulnerability has a CVSS score of 6.4, indicating medium severity. No official patch or remediation guidance is currently available from the vendor. There are no known exploits in the wild at this time.

The online travel platform has not said how many customers’ booking information was exposed, but said the issue has been contained. The post Booking.com Says Hackers Accessed User Information appeared first on SecurityWeek .

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in SPBooking.com Booking.com Banner Creator bookingcom-banner-creator.This issue affects Booking.com Banner Creator: from n/a through <= 1.4.6.

Insikt Group identified five distinct clusters using the ClickFix social engineering technique for initial access. These clusters impersonate various services like Intuit QuickBooks and Booking.com, demonstrating operational variance but similar core techniques. ClickFix manipulates victims into executing malicious commands within native system tools, bypassing traditional security controls. The methodology has become a standardized template for cybercriminals and APT groups. Campaigns target diverse sectors and use sophisticated obfuscation and living-off-the-land tactics. Defenders are advised to implement aggressive behavioral hardening and user awareness training to mitigate these threats.

MediumCampaignUnited StatesUnited KingdomCanada+7#living-off-the-land#vidar#windows

The PHALT#BLYX campaign targets the hospitality sector using sophisticated social engineering and advanced techniques. It begins with a phishing email mimicking a Booking.com reservation cancellation, leading victims to a fake website. Users are tricked into executing malicious PowerShell commands through a fake BSOD and click-fix social engineering tactic. The malware leverages MSBuild.exe to bypass defenses and deploys a customized DCRat payload. It establishes persistence, disables Windows Defender, and uses process hollowing to inject into legitimate processes. The campaign shows evolution from earlier, simpler methods and demonstrates a deep understanding of modern endpoint protection. Attribution points to Russian-speaking threat actors, given the presence of Cyrillic debug strings and the use of DCRat, a popular tool in Russian underground forums.

MediumMalwareUnited KingdomGermanyFrance+6#msbuild#click-fix#social engineering

Insikt Group has identified four distinct activity clusters associated with GrayBravo's CastleLoader malware, each with unique tactics and victim profiles. This supports the assessment that GrayBravo operates a malware-as-a-service model. One cluster, TAG-160, impersonates logistics firms and uses phishing lures with the ClickFix technique to distribute CastleLoader. Another cluster, TAG-161, impersonates Booking.com and employs similar techniques. The analysis also uncovered potential links to the online persona "Sparja" and the broader cybercriminal ecosystem. GrayBravo demonstrates rapid evolution, technical sophistication, and adaptability in response to public exposure. The report recommends various security measures to defend against these threats.

MediumMalwareGermanyUnited KingdomFrance+3#logistics#castlerat#castlebot

A Russian-speaking threat actor is conducting a large-scale phishing campaign targeting travelers by registering over 4,300 fake hotel and travel-related domains impersonating brands like Airbnb and Booking.com. The campaign uses sophisticated phishing sites with customized pages, fake CAPTCHA, and multilingual support to appear legitimate. Malicious emails redirect victims through multiple sites before landing on phishing pages designed to steal payment card data. The attacker continuously registers new domains with travel-related naming conventions, focusing on specific registrars. The phishing kit collects data in real-time and contains Russian language elements. This campaign poses a medium severity risk due to its scale, sophistication, and potential financial impact on victims. European organizations in the travel, hospitality, and financial sectors should be vigilant. Countries with high tourism and travel service usage, such as the UK, Germany, France, Spain, and Italy, are most likely to be affected. Mitigation requires targeted detection of phishing domains, enhanced email filtering, user awareness training focused on travel scams, and collaboration with domain registrars to disrupt domain registrations.

MediumCampaignGermanyFranceSpain+7#phishing#domain registration#malspam