{
	"id": "b1496914-d60e-4ad4-ab07-100a8f6eb826",
	"created_at": "2026-04-06T00:20:52.986284Z",
	"updated_at": "2026-04-10T03:21:14.247603Z",
	"deleted_at": null,
	"sha1_hash": "8672a91579c4a4046246ad0b72cd340cfb6ef026",
	"title": "Luxury Hotels Remain Major Target of Ongoing Social Engineering Attack",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 374099,
	"plain_text": "Luxury Hotels Remain Major Target of Ongoing Social\r\nEngineering Attack\r\nArchived: 2026-04-05 17:59:37 UTC\r\nBy: Dylan Duncan\r\n85% of phishing emails from current campaign have come in the last 60 days; Hospitality Industry Still Very at\r\nRisk of Advanced Malware Capable of Ransomware Delivery\r\nCofense Intelligence has been tracking a well-crafted and innovative social engineering attack that targets the\r\nhospitality industry to deliver advanced information stealer malware. The campaign employs the use of\r\nreconnaissance emails and instant messages to bait hospitality email addresses into a response. Once a\r\nconversation has started, the threat actors follow up with a phishing email. This campaign uses social engineering\r\ntactics also recently seen during the MGM, Caesars and other luxury hotel resorts breaches.\r\nOverall, the campaign uses several tried-and-true methods to bypass email security infrastructure which puts\r\ntargets at risk of sophisticated information stealer malware like RedLine Stealer, Vidar Stealer, Stealc, and others,\r\nmost of which can deploy ransomware after successfully infecting a host.\r\nKey Points\r\nAs of September 22, 85% of the phishing emails seen by Cofense Intelligence have happened in the last 60\r\ndays, with September seeing a higher percentage than August. This highlights that this campaign is still\r\nactive and ongoing. See Figure 5 below for more details.\r\nThe campaign most commonly starts with a reconnaissance email (See Figure 1 and 2 below), also\r\nknown as a bait email. This is the process of a threat actor sending a non-malicious email used as a way of\r\nchecking to see if the address is live and responsive. Once the threat actor receives a response to the\r\nreconnaissance email, they will then follow up with a phishing email (See Figure 3 and 4 below).\r\nAs of now, the campaign only targets the hospitality sector, primarily targeting luxury hotel chains\r\nand resorts, and uses lures relative to that sector such as booking requests, reservation changes, and\r\nspecial requests. The lures for both the reconnaissance and phishing emails match accordingly and are well\r\nthought out.\r\nPhishing emails are successfully reaching intended targets due to several methods known to disrupt\r\nemail security analysis and secure email gateways (SEGs). These tactics include the use of trusted domains\r\nwithin the malicious URLs in the emails, password-protected archives, and executable files that are so\r\nlarge they can disrupt analysis.\r\nThe overall goal of the campaign is to infect employees and systems of hospitality organizations with\r\nadvanced information stealer malware. The malware varies but the most used in this campaign are Vidar\r\nStealer, RedLine Stealer, and Stealc.\r\nA High-Risk and Well-Crafted Social Engineering Attack \r\nhttps://cofense.com/blog/luxury-hotels-remain-target-of-social-engineering-attack/\r\nPage 1 of 7\n\nFrom the reconnaissance email, all the way to the malicious payload, this campaign and its infection chain are\r\nboth highly sophisticated and well thought out by the threat actors. As of this report, the campaign has only\r\ntargeted the hospitality sector. Threat actors start by sending a reconnaissance email or an instant message to a\r\nhotel, resort, or other hospitality service or employee’s email address. These emails, like the examples in Figure 1\r\nand Figure 2, do not contain any malicious content and are just used to test if an email account is live. This\r\nexample targeted a reservation email address suggesting they were a customer seeking a special medical request\r\nfor their reservation.  \r\nFigure 1: Example 1 - \"Reconnaissance\" or \"Bait\" Email used in real phishing example. \r\nFigure 2: Example 2 - \"Reconnaissance\" or \"Bait\" Email used in real phishing example. \r\nOnce the threat actor received a response from the reservation email, they followed up the same day with a\r\nphishing email sent to the account. The phishing email, shown in Figure 2 and Figure 3, follow the same lure as\r\nused in the reconnaissance email. The phishing emails in this campaign start with an infection URL, hosted on a\r\nhttps://cofense.com/blog/luxury-hotels-remain-target-of-social-engineering-attack/\r\nPage 2 of 7\n\ntrusted domain, which is used to download a password-protected archive that contains malicious files. This\r\nspecific example delivered the Vidar Stealer malware. \r\nFigure 3: Example 1 - Phishing Email that Followed the Reconnaissance Email. \r\nFigure 4: Example 2 - Phishing Email that Followed the Reconnaissance Email. \r\nhttps://cofense.com/blog/luxury-hotels-remain-target-of-social-engineering-attack/\r\nPage 3 of 7\n\nThe emails disseminated by the threat actors behind this campaign all follow unique lures. The following shows a\r\nlist of lures used in this campaign, each one following the same pattern from the reconnaissance email to the\r\nphishing email. The lures all warrant some sort of response from the targeted hospitality organization and are most\r\nlikely very similar to what the employee is accustomed to seeing, such as a booking request or reservation\r\nchange. \r\nHospitality-Themed Phishing Emails \r\nA list of themes used in the social engineering attacks. \r\nBooking\r\nReservation Changes\r\nWedding Stays\r\nHotel Requests\r\nSpecial Accommodations\r\nSuccessfully Reaching Intended Targets \r\nThe attention to detail as well as the tactics, techniques, and procedures (TTPs) used in this campaign go way\r\nbeyond the average phishing campaign. By utilizing TTPs known to help emails bypass email security options like\r\nSEGs, the emails in this campaign are successfully reaching their intended targets. When the campaign uses a\r\nreconnaissance email, the email does not contain any malicious indicators so it’s no surprise that those are getting\r\nthrough, however, the phishing emails and instant messages do pose a major threat to targets. Within the phishing\r\nemails, threat actors are hosting the malware on trusted domains like Google Drive, Dropbox, Discord app, and\r\nothers. The abuse of these legitimate sites to host malicious content is common in the phishing threat landscape,\r\nbut the threat actors also have additional tactics to disrupt analysis. \r\nThe infection URL downloads a password-protected archive, relatively small, but contains a very large executable\r\nfor most of the emails we have observed. The use of a password-protected archive also disrupts analysis as not all\r\nsecurity infrastructure can do analysis on files with passwords. In addition, the large file size of the executables\r\n(~600MB to 1GB) can also disrupt analysis since most sandboxes and other analysis tools are limited in the size\r\nof files that can be scanned. The success of these emails reaching intended targets can be attributed to these TTPs.\r\nFigure 5 below shows the volume of the phishing campaign by percentage of the total campaign volume. The\r\ncampaign has picked up heavily throughout the month of August and has continued at an alarming rate as we have\r\nentered September. \r\nhttps://cofense.com/blog/luxury-hotels-remain-target-of-social-engineering-attack/\r\nPage 4 of 7\n\nFigure 5: Monthly Campaign Volume by Percentage up to September 22nd. \r\nFigure 6 below is a breakdown of the different domains abused in the campaign. Google Drive makes up more\r\nthan half of the emails we have seen. Dropbox and Discord app are the next most abused services in this campaign\r\nmaking up a similar percentage. The remaining percentage is made up of 8% using the t.ly link shortener and 6%\r\n“other” which is made up of various other services used to host the malware. \r\nFigure 6: Breakdown of Trusted Domains Abused as Infection URLs to Host Malware. \r\nhttps://cofense.com/blog/luxury-hotels-remain-target-of-social-engineering-attack/\r\nPage 5 of 7\n\nThe infection URLs in the emails all deliver a password-protected archive. The type of archive does change, the\r\nthreat actors are primarily using ZIP, RAR, and 7-ZIP. As seen in Table 2, a password-protected ZIP archive is the\r\nmost common archive seen in this campaign. \r\nArchive Percentage of Emails\r\nZIP 49%\r\nRAR 32%\r\n7-ZIP 19%\r\nThe Final Infection – Advanced Information Stealer Malware\r\nThe overall goal of the campaign is to infect hospitality systems and/or employees with information stealer\r\nmalware. This is a generic malware type used to describe certain malware families. The most common form of\r\ninformation stealer malware generally does just that, steals information. This typically means that the malware\r\nsteals login information from various applications on the infected host such as passwords stored in browsers. At a\r\nmore advanced level, some information stealers can deliver additional payloads once successfully planted on a\r\nhost. \r\nA total of five different information stealer malware families have been utilized in this campaign.\r\nLumma Stealer, also known as LummaC2, is a subscription-based information stealer that was first seen\r\nin 2022. It is written in C and has a wide array of capabilities. This malware is primarily used for stealing\r\ncryptocurrency wallets and sensitive information such as usernames and passwords.  Lumma Stealer also\r\nhas the ability to deliver additional payloads.\r\nVidar Stealer is a well-known information stealer that was first seen in 2018 operating as malware-as-a-service. It is used for targeting a particularly wide variety of information including downloaded or saved\r\nsites. The targeted information includes credit card, autofill, and password data stored in local programs\r\nand browsers. Vidar Stealer can act as a malware downloader to deliver additional payloads.\r\nRedLine Stealer, first seen in 2020, is probably the most well-known stealer on this list. It uses Simple\r\nObject Access Protocol (SOAP) for communication with its command-and-control center and can use a\r\nvariety of plugins. It’s used to collect information from various installed programs including credentials\r\nstored in browsers, email applications, as well as cryptocurrency wallet data. RedLine Stealer is often\r\nassociated with sophisticated phishing campaigns that, after a successful infection, can deliver additional\r\npayloads like ransomware or more advanced malware. \r\nStealc is a relatively new malware family that was first seen in early 2023. It is known as a copycat\r\ninformation stealer because it has a suite of features that is ostensibly based on Vidar, Raccoon, Mars, and\r\nRedLine stealers. By default, Stealc targets data in web browsers, browser extensions, cryptocurrency\r\napplications, and email messaging software.\r\nSpidey Bot is a less common information stealer first seen in 2019. It is designed to collect stored\r\npasswords and other data from a variety of distinct sources within infected environments. The targeted\r\ninformation can include VPN, internet browsers, email clients, gaming software, and cryptocurrency. \r\nhttps://cofense.com/blog/luxury-hotels-remain-target-of-social-engineering-attack/\r\nPage 6 of 7\n\nSource: https://cofense.com/blog/luxury-hotels-remain-target-of-social-engineering-attack/\r\nhttps://cofense.com/blog/luxury-hotels-remain-target-of-social-engineering-attack/\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://cofense.com/blog/luxury-hotels-remain-target-of-social-engineering-attack/"
	],
	"report_names": [
		"luxury-hotels-remain-target-of-social-engineering-attack"
	],
	"threat_actors": [],
	"ts_created_at": 1775434852,
	"ts_updated_at": 1775791274,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/8672a91579c4a4046246ad0b72cd340cfb6ef026.pdf",
		"text": "https://archive.orkl.eu/8672a91579c4a4046246ad0b72cd340cfb6ef026.txt",
		"img": "https://archive.orkl.eu/8672a91579c4a4046246ad0b72cd340cfb6ef026.jpg"
	}
}