{
	"id": "94e1428d-3833-4fd4-b966-87f8de212faf",
	"created_at": "2026-04-06T00:08:43.151044Z",
	"updated_at": "2026-04-10T03:33:45.940286Z",
	"deleted_at": null,
	"sha1_hash": "0f5242b03ee6c309641eae553230c529bd7589e4",
	"title": "Threat Actors Prey on Eager Travelers | FortiGuard Labs",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 72034,
	"plain_text": "Threat Actors Prey on Eager Travelers | FortiGuard Labs\r\nPublished: 2022-06-02 · Archived: 2026-04-05 18:40:49 UTC\r\nSitting on a sunny beach full of sparkling sand. Exploring the jungle looking for exotic animals and plants. Diving\r\ninto a deep blue sea where sunlight has a difficult time reaching. Partying all night at clubs in a city you have\r\nnever been to. Holding hands with friends around a campfire singing Kumbaya. Eating warm food and drinking\r\ncoffee in a cave in a snowy mountain.\r\nThose are some of what recently seemed to be unattainable travel fantasies that many people around the globe\r\nhave been dreaming of since Covid-19 started to rapidly spread in early 2020. We’ve come a long way since then.\r\nToday, vaccinations and quarantining have led some governments to soften some of the regulations that have\r\nrestricted how we live our everyday lives. Such eased regulations include eliminating travel restrictions so tourists\r\ncan fill those delayed dreams.\r\nHowever, it’s essential for eager travelers to understand that malicious actors are just as eager to leverage that\r\nfeeling of liberty to deliver malware. This blog will provide a few examples of such attacks that FortiGuard Labs\r\nrecently discovered.\r\nAffected Platforms: Windows\r\nImpacted Parties: Windows users\r\nImpact: Controls victim’s device and collects sensitive information\r\nSeverity Level: Medium\r\nAdversaries Pushing Unsanitary Itineraries\r\nItineraries are one of the must-haves for most travelers. Without one, they won’t know when, how, and where to\r\ngo, where to stay, and when and how to come home. An itinerary can also provide details on how much time\r\ntravelers have at the destination so they can plan activities.\r\nAsyncRAT\r\nFortiGuard Labs recently discovered a malicious file called “itinerary.zip” that was hosted on dc5b-163-123-142-\r\n137[.]ngrok[.]io.\r\nInside the archive file is a file entitled, “Itinerary.pdf_____________________________________________.exe”,\r\nwhich is really an .exe file disguised as a PDF. Hiding an .exe extension behind a long series of underscores is a\r\nclassic trick that threat actors have used for decades. The fact it is still being used today indicates that the trick still\r\nhas some success. While we do not know how victims were directed to the file, it’s an easy guess that a travel-related email or website was used to lure the victims to the file’s location.\r\nRunning the .exe file installs AsyncRAT on the victim’s machine. AsyncRAT is an open-source Remote Access\r\nTrojan (RAT) written in .NET that has been used in a number of attacks. FortiGuard Labs has previously posted a\r\nblog on a spearphishing campaign that delivered AsyncRAT:\r\nhttps://www.fortinet.com/blog/threat-research/threat-actors-prey-on-eager-travelers\r\nPage 1 of 6\n\nSpear Phishing Campaign with New Techniques Aimed at Aviation Companies\r\nAsyncRAT provides remote access to attackers and allows them to remotely monitor and control a compromised\r\nmachine through a secure encrypted connection. The RAT’s features include keylogging, taking screenshots, and\r\nuploading and downloading files. This installed version of AsyncRAT connects to its C2 servers located at\r\n“znets[.]ddns[.]net” and “dnets[.]ddns[.]net”. In an attempt to further hinder analysis, this AsyncRAT variant uses\r\nmultiple .NET obfuscators such as Xenocode, Babel, Yano, DotNetPatcher, CryptoObfuscator, Dotfuscator,\r\nSmartAssembly, Goliath, NineRays, and 198 Protector V2.\r\nFurther investigation revealed that itinerary.zip was not the only file hosted on dc5b-163-123-142-\r\n137[.]ngrok[.]io. The files travel_details.iso, activities_and_dates.iso, and Itinerary.exe were also on the same\r\ndomain and they also install AsyncRAT variants that connect to the same C2 servers.\r\nAn ISO file (often called an ISO image) is an archive file that contains the identical content (i.e. the folder and file\r\nhierarchy) of a physical disc such as a CD, DVD, or Blu-ray. ISO files used to require third-party software to\r\nopen. However, the file type is now supported natively in Windows, starting in Windows 8. Unfortunately, this\r\nprovides another infection method to the attackers. Furthermore, the .iso file format avoids being tagged with the\r\nMark-of-the-Web (MOTW). MOTW forces saved webpages to run in the security zone of the location the page\r\nwas saved from as a security measure. Files that are tagged with MOTW also usually go through additional safety\r\nchecks, such as Microsoft Defender’s SmartScreen and various AV scanning engines. This variant of AsyncRAT\r\nhides itself inside the .iso file format to dodge extra scanning and is a known technique.\r\nOnce the ISO image is mounted (typically done by simply double-clicking it), the victim needs to manually run\r\nthe exe file in the mounted ISO to get infected with AsyncRAT.\r\nAnother AsyncRAT sample, “Booking details.exe“, was observed in early February 2022. All of these samples\r\nhave travel-themed filenames, which is a clear indication that the attacker specifically targeted travelers.\r\nNetwire RAT\r\nNetwire RAT is another malware being delivered via a travel-themed infection vector.\r\nFlight_Travel_Intinery_Details.js is a malicious file FortiGuard Labs recently came across. Given the file was\r\nhosted on an oft-abused Discord CDN, combined with the filename, leads us to surmise that the malicious\r\njavascript was likely distributed through a link in an email or an attached document file associated with travel.\r\nThe javascript (.js) file eventually drops Update.exe, which is a variant of Netwire RAT that connects to its C2\r\nserver at kingshakes1[.]linkpc[.]net. This C2 server appears to have been used by Netwire RAT since May 2021 at\r\nthe latest. Netwire RAT is a commodity Remote Access Trojan designed to work on Windows, OSX, and Linux.\r\nJust like AsyncRAT, Netwire RAT takes control of the compromised machine and performs malicious activities\r\nsuch as data exfiltration and reconnaissance.\r\nColombian Military Under Attack\r\nQuasar RAT\r\nhttps://www.fortinet.com/blog/threat-research/threat-actors-prey-on-eager-travelers\r\nPage 2 of 6\n\nAnother example of a travel-themed cyberattack arrived in what appears to be a spearphishing attack against a\r\nmilitary organization in Colombia.\r\nThe email has “Solicitud de Reserva para Mayo 2022” (English translation: “Reservation Request for May 2022”)\r\nas the email subject, with “RESERVA.ISO” as an attachment.\r\nThe message reads in English:\r\nGood afternoon,\r\nI hope you are well.\r\nI am [removed] from the Product Dept. of AMV Travel.\r\nI would like to request a reservation for 5 rooms in which we will be staying for a week. Please find attached the\r\ndetails of the reservation.\r\nThank you very much.\r\nI am waiting for your reply to continue.\r\nWhile an ISO file was also used in this attack, the payload is a different Remote Access Trojan, “Quasar RAT”.\r\nThe use of Quasar RAT is not surprising because this RAT has a history of being used for cyberespionage in\r\nnumber of targeted attacks reported in blogs from various security vendors. One such example is in a blog,\r\n“Uncovering New Activity By APT10”, published by FortiGuard Labs in October 2019, where the APT10 threat\r\nactor group targeted government and private organizations with Quasar RAT. Because the malware is an open-source RAT and has been observed to have been widely used, CISA released “Analysis Report (AR18-352A)” on\r\nQuasar RAT in February 2019.\r\nQuasar RAT is an open-source commodity RAT. As such, it’s not a unique tool for threat actors to have in their\r\narsenal. The RAT is advertised to run on various versions of Windows OS (Windows 10, Windows 8/8.1,\r\nWindows 7, Windows Vista, Windows Server 2019, Windows Server 2016, Windows Server 2012 and Windows\r\nServer 2008). Older versions of Quasar RAT also work on older Windows OS versions. It supports features typical\r\nof Remote Access Trojans. These include:\r\nKeylogging\r\nPassword recovery/stealing from common Web browsers and FTP Clients\r\nUpload/download \u0026 execute files\r\nCollect system information\r\nRemote desktop\r\nRegistry editor\r\nLike the AsynRAT attack, the Quasar RAT ISO file gets mounted when the ISO file is double-clicked. The victim\r\nmust then manually run the malicious executable file “RESERVA.exe” to start the infection process.\r\nThe installed Quasar RAT connects to the C2 server at opensea-user-reward[.]serveusers[.]com (DDNS).\r\nFortinet’s telemetry, as well as OSINT, did not observe any connections to the DDNS over the past three months.\r\nhttps://www.fortinet.com/blog/threat-research/threat-actors-prey-on-eager-travelers\r\nPage 3 of 6\n\nThis could indicate that the attack was unsuccessful.\r\nInterestingly, FortiGuard Labs also discovered another Quasar RAT sample that shares the same resource section\r\nand the same C2 address. This sample was submitted from Hong Kong the day after the malware that was sent to a\r\nColombian military service became public. While no evidence could be gathered to connect the samples to a\r\nsingle threat actor, given the similarities in the samples, it is possible that the same attacker targeted an\r\norganization in Hong Kong.\r\nConclusion\r\nThe attacks described in this blog are not complicated. All that is needed is for the victim to manually run a plain\r\nexecutable file manually to get infected. What is unique is that for the past two years, most opportunities for travel\r\nand vacation were taken away due to COVID. And now that the liberty to travel is back, threat actors are\r\nexploiting the enthusiasm people have to get out and explore again.\r\nAlways practice cyber security hygiene, and bon voyage!\r\nFortinet Protections\r\nFortiGuard Labs has AV coverage in place for the malicious file samples in this report as:\r\nMSIL/VRN.WN!tr\r\nMSIL/Injector.VRI!tr\r\nMSIL/Kryptik.YVP!tr\r\nMSIL/Agent.CJR!tr\r\nJS/Agent.OOU!tr\r\nW32/VBKrypt.C!tr\r\nFortinet customers are also protected from this malware through FortiGuard’s Web Filtering, FortiMail,\r\nFortiClient, FortiEDR, and CDR (content disarm and reconstruction) services.\r\nIn addition to these protections, Fortinet has multiple solutions designed to help train users to understand and\r\ndetect phishing threats:\r\nThe FortiPhish Phishing Simulation Service uses real-world simulations to help organizations test user awareness\r\nand vigilance to phishing threats and to train and reinforce proper practices when users encounter targeted\r\nphishing attacks.\r\nWe also suggest that organizations have their end users go through our FREE NSE training: NSE 1 – Information\r\nSecurity Awareness. It includes a module on Internet threats that is designed to help end users learn how to\r\nidentify and protect themselves from various types of phishing attacks.\r\nIOCs\r\nFile IOCs\r\nhttps://www.fortinet.com/blog/threat-research/threat-actors-prey-on-eager-travelers\r\nPage 4 of 6\n\nAsyncRAT\r\n7e40ffe649eebe5a8f156f2051d670ccb1c2580b387190b60a928149c0db071e (travel_details.iso)\r\na1a82789bcd4b8f4400e2d3dcd723722c4528cb3a188ffb54d7e684fdb808792 (Travel_details.exe)\r\n981139ca1539c9db49c7e2cd2cfde1a463feec421a3f73d0cca9f880fbdb1919 (Itinerary.iso)\r\naada737aa6be290e37a9da366a195b83a7597fbce1ef427b829049df7684cdf1 (ITINERARY.PDF.EXE)\r\n98a8e1b3ff49c4b979127e2c02a04b41971fdb3d612c0d66e2e8a95f4f08a5e3 (activities_and_dates.iso)\r\n906ca464f50e99eb1478d81dffa3c64abfc6819ec93b991cf890d52f5cfb1143 (Activities_and_dates.exe)\r\nf49c2c23d606fd7779d900604d9b45b7329c4f6ee5fbafdf77fbdd2c2ab26445 (itinerary.zip)\r\naada737aa6be290e37a9da366a195b83a7597fbce1ef427b829049df7684cdf1\r\n(Itinerary.pdf_____________________________________________.exe)\r\nffd561a46ec49ff9c232005dc95ea1e3315e02e497e55adbfcc9f31ac668353a (Booking details.exe)\r\nb899fc7141b866552940b6ee0f8ab0d214a05c8338906fd85fae67c507d652bb (Itinerary.exe)\r\nNetwire RAT\r\n5f4bbe855651ea0417c10f470c010eb86a8eae4ac3b1569bcfaaac4eab648c9f\r\n(Flight_Travel_Intinery_Details.js)\r\nQuasar RAT\r\n5f336cc401742fab95092241ba8a6ab721390a52646b105b721376169152f982\r\naf5b5409b49d74f90ce2ccd62d03b890c3dc2b22a44b6a5f35dfa18a40a198da\r\nc928d42edbb368f61da40e6f78e7bd223736ecc0ac988359af51d7b6b4299f03\r\nNetwork IOCs\r\nAsyncRAT\r\ndc5b-163-123-142-137[.]ngrok[.]io/itinerary.zip\r\ndc5b-163-123-142-137[.]ngrok[.]io/travel_details.iso\r\ndc5b-163-123-142-137[.]ngrok[.]io/Itinerary.exe\r\n33b4-163-123-142-137[.]ngrok[.]io/activities_and_dates.iso\r\nznets[.]ddns[.]net\r\ndnets[.]ddns[.]net\r\nNetwire RAT\r\nkingshakes1[.]linkpc[.]net\r\nQuasar RAT:\r\nopensea-user-reward[.]serveusers[.]com\r\nhttps://www.fortinet.com/blog/threat-research/threat-actors-prey-on-eager-travelers\r\nPage 5 of 6\n\nLearn more about Fortinet’s FortiGuard Labs threat research and intelligence organization and the FortiGuard\r\nSecurity Subscriptions and Services portfolio.\r\nSource: https://www.fortinet.com/blog/threat-research/threat-actors-prey-on-eager-travelers\r\nhttps://www.fortinet.com/blog/threat-research/threat-actors-prey-on-eager-travelers\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.fortinet.com/blog/threat-research/threat-actors-prey-on-eager-travelers"
	],
	"report_names": [
		"threat-actors-prey-on-eager-travelers"
	],
	"threat_actors": [
		{
			"id": "ec14074c-8517-40e1-b4d7-3897f1254487",
			"created_at": "2023-01-06T13:46:38.300905Z",
			"updated_at": "2026-04-10T02:00:02.918468Z",
			"deleted_at": null,
			"main_name": "APT10",
			"aliases": [
				"Red Apollo",
				"HOGFISH",
				"BRONZE RIVERSIDE",
				"G0045",
				"TA429",
				"Purple Typhoon",
				"STONE PANDA",
				"Menupass Team",
				"happyyongzi",
				"CVNX",
				"Cloud Hopper",
				"ATK41",
				"Granite Taurus",
				"POTASSIUM"
			],
			"source_name": "MISPGALAXY:APT10",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "ba9fa308-a29a-4928-9c06-73aafec7624c",
			"created_at": "2024-05-01T02:03:07.981061Z",
			"updated_at": "2026-04-10T02:00:03.750803Z",
			"deleted_at": null,
			"main_name": "BRONZE RIVERSIDE",
			"aliases": [
				"APT10 ",
				"CTG-5938 ",
				"CVNX ",
				"Hogfish ",
				"MenuPass ",
				"MirrorFace ",
				"POTASSIUM ",
				"Purple Typhoon ",
				"Red Apollo ",
				"Stone Panda "
			],
			"source_name": "Secureworks:BRONZE RIVERSIDE",
			"tools": [
				"ANEL",
				"AsyncRAT",
				"ChChes",
				"Cobalt Strike",
				"HiddenFace",
				"LODEINFO",
				"PlugX",
				"PoisonIvy",
				"QuasarRAT",
				"QuasarRAT Loader",
				"RedLeaves"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "ba3fff0c-3ba0-4855-9eeb-1af9ee18136a",
			"created_at": "2022-10-25T15:50:23.298889Z",
			"updated_at": "2026-04-10T02:00:05.316886Z",
			"deleted_at": null,
			"main_name": "menuPass",
			"aliases": [
				"menuPass",
				"POTASSIUM",
				"Stone Panda",
				"APT10",
				"Red Apollo",
				"CVNX",
				"HOGFISH",
				"BRONZE RIVERSIDE"
			],
			"source_name": "MITRE:menuPass",
			"tools": [
				"certutil",
				"FYAnti",
				"UPPERCUT",
				"SNUGRIDE",
				"P8RAT",
				"RedLeaves",
				"SodaMaster",
				"pwdump",
				"Mimikatz",
				"PlugX",
				"PowerSploit",
				"ChChes",
				"cmd",
				"QuasarRAT",
				"AdFind",
				"Cobalt Strike",
				"PoisonIvy",
				"EvilGrab",
				"esentutl",
				"Impacket",
				"Ecipekac",
				"PsExec",
				"HUI Loader"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434123,
	"ts_updated_at": 1775792025,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/0f5242b03ee6c309641eae553230c529bd7589e4.pdf",
		"text": "https://archive.orkl.eu/0f5242b03ee6c309641eae553230c529bd7589e4.txt",
		"img": "https://archive.orkl.eu/0f5242b03ee6c309641eae553230c529bd7589e4.jpg"
	}
}