{ "id": "71c0089a-83b3-46e0-a659-9f533515bedd", "created_at": "2026-04-06T00:07:11.628547Z", "updated_at": "2026-04-10T03:32:21.315818Z", "deleted_at": null, "sha1_hash": "eb3d5540700ba477687d41226b6c3072a7e7d17c", "title": "Phishing Eager Travelers", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 654675, "plain_text": "Phishing Eager Travelers\r\nBy Anna Chung, Swetha Balla\r\nPublished: 2021-09-15 · Archived: 2026-04-05 13:15:59 UTC\r\nExecutive Summary\r\nThreat actors have always been adept at keeping abreast of worldwide trends – ranging from geopolitical to\r\ntechnical – and rapidly exploiting these trends for their benefit. The current pandemic is no exception. Unit 42 has\r\npreviously reported on how cybercriminals have preyed on consumers during COVID-19 and on the use of\r\nCOVID-19 themed phishing attacks impersonating brands like Pfizer and BioNTech. This article provides early\r\nwarnings for the travel industry and global travelers by sharing information about various attack attempts targeting\r\nthe travel industry.\r\nAt the beginning of the pandemic, when people all over the world scrambled to get protective supplies – personal\r\nprotective equipment, sanitizer and toilet paper – threat actors tried to take advantage of supply issues by selling\r\nfake products. They also tried to trick people by purporting to be credible health organizations (such as the WHO)\r\nor pharmaceutical companies, all while the actual organizations and companies were trying to make sense of the\r\nvirus and come up with metrics, protective measures and vaccines.\r\nAlthough the pandemic is not over, as the world opens up borders and the vaccines slow down the spread of the\r\nvirus, people who have been cooped up at home are eager to travel. Threat actors are taking advantage of this\r\ntrend by using travel as a theme for phishing people and stealing data – account credentials, financial information\r\nand so on – subsequently selling this data in underground markets.\r\nHere, we first show that there has been a substantial increase in the registration of travel-related phishing URLs in\r\n2021. Second, we provide two real-life examples demonstrating attackers abusing the travel theme, including the\r\nDridex malware distribution and the abuse of Firebase in phishing campaigns. Third, we talk about how threat\r\nactors use various data that they steal. Finally, we conclude with a discussion of best practices for both individuals\r\nand organizations.\r\nPlease note that Palo Alto Networks Next-Generation Firewall customers are protected from phishing attacks with\r\nvarious security services, including Advanced URL Filtering and WildFire.\r\nIncrease in Travel-themed Phishing\r\nTo conduct social engineering, threat actors have always leveraged malicious domains and URLs impersonating\r\nknown brands and websites familiar to end users. The content served on these malicious domains or URLs is\r\ncrafted to mislead end users, since they look and feel very similar to brands that users know.\r\nAlternatively, threat actors also send phishing emails to end users to trick them into either downloading malicious\r\nattachments or clicking on links that lead to malicious content – website pages or attachments. Threat actors use\r\nhttps://unit42.paloaltonetworks.com/travel-themed-phishing/\r\nPage 1 of 11\n\nthemes that invoke a sense of urgency (such as outstanding invoices) or appeal to the end user emotionally (such\r\nas travel-themed emails sent as the world opens up).\r\nIncrease in the Number of Travel-themed Phishing URLs\r\nUnit 42 analyzed travel-themed phishing URLs created between October 2019 and August 2021. As seen in Figure\r\n1 below, there is a gradual upward trend in the registration of phishing URLs starting early 2021, with a\r\nsignificant increase in June 2021. Though the new phishing URLs did not continue to be registered at quite the\r\nfrenzied rate we saw in June, throughout the summer, threat actors created new travel-themed phishing URLs at a\r\nmuch higher level than at any time in 2020.\r\nFigure 1. Number of new travel-themed phishing URLs registered between October 2019 and\r\nAugust 2021.\r\nBased on the new phishing URLs that Unit 42 observed, in addition to the use of bespoke/new domains for\r\nserving the phishing URLs, threat actors also leveraged URL shorteners such as bit.ly and bit.do, and services\r\nsuch as Firebase that are hosted on Google Cloud Storage. Firebase is backed by Google and supports developers\r\nof mobile or web applications. Firebase includes cloud storage that enables developers to store and serve user-generated content. As Firebase leverages Google Cloud Storage, it is possible for phishing URLs to take\r\nadvantage of it to bypass email protections based on Google’s reputation.\r\nUnit 42 observed that not all the phishing URLs that threat actors leveraged were used for directed attacks or\r\ncampaigns; some of the URLs were used in malspam campaigns to host malicious content, such as Dridex.\r\nUse of Travel-themed Phishing URLs by Dridex\r\nDridex is mass-distribution malware that is typically sent through malspam. Dridex has been known as an\r\ninformation-stealing malware or banking trojan that targets Windows platforms and is distributed via malicious\r\nhttps://unit42.paloaltonetworks.com/travel-themed-phishing/\r\nPage 2 of 11\n\nspam attachments impersonating legitimate companies.\r\nThe threat actor behind Dridex generally uses billing- or invoice-themed emails, a tactic used by most mass-distribution malware. The compromised or malicious URLs host the initial installer for Dridex to establish\r\nbackdoor access. The backdoor access established by Dridex is later used to distribute followup malware,\r\nincluding ransomware, if the initial infection is not discovered.\r\nThe domains associated with the compromised URLs leveraged by Dridex are usually legitimate but compromised\r\nwebsites. For most Dridex campaigns, these URLs are used for a single day before the campaign moves on to a\r\ndifferent URL.\r\nUnit 42 researchers have observed two types of malspam pushing Dridex in the past few months: (1) a phishing\r\nemail with an Excel spreadsheet attachment, and (2) a phishing email with a link to a message to download an\r\nExcel spreadsheet.\r\nFigure 2. Infection chain for phishing emails with an Excel spreadsheet attachment.\r\nFigure 3. Infection chain for phishing emails linked to a message to download an Excel spreadsheet.\r\nUnit 42 has published multiple articles over the past few years using the tag “Dridex.”\r\nFrom the newly registered phishing URLs, Unit 42 observed that a couple of phishing URLs with travel-related\r\nkeywords – “airlines” and “vacation” – were used by Dridex in 2021. These URLs are:\r\nanimalairlines[.]org/wp-content/plugins/wordpress-seo/inc/options/tk2xzwhphujenf.php\r\nsoleravacation[.]net/wp-content/plugins/mojo-marketplace-wp-plugin-is-broke/inc/cli/mxq6awnfhnmadd2.php\r\nTechnical Details About\r\nanimalairlines[.]org/wp-content/plugins/wordpress-seo/inc/options/tk2xzwhphujenf.php\r\nhttps://unit42.paloaltonetworks.com/travel-themed-phishing/\r\nPage 3 of 11\n\nIn January 2021, there was a malspam campaign that comprised emails that used Dropbox links to call\r\nanimalairlines[.]org/wp-content/plugins/wordpress-seo/inc/options/tk2xzwhphujenf.php and download the\r\nmalware DLL to install Dridex.\r\nFigure 4. Example email associated with the campaign.\r\nThe SHA256 values associated with some of the samples identified by Unit42 researchers are:\r\nHash Filename\r\n2741a353c6d7bc69bf43aef709ead2d6f452e895561943b01ad5359561506092 Rep_598531.xls\r\n5134f99242ea705442aaf857d43c4e689cd117a64fe103353be7f8ec5fd165f4 Name unknown\r\n6846ae3db07fdc05aa310d157f9300bd7d26c33e5e81594dc89b70b47c73ee43 Name unknown\r\n80d50ab8fe6f880270a2d8c3646a2272efed3f7a68140afacb72317a2e0c42c7   Note_7706.xls\r\nb25edec6855cd5c3b74fa1a897d33978a227ccd039ac175c71521ec3655ebe10  Information_24837.xls\r\nf3c837323c135a7d7ed9d03f856c81463abb80174211117f4bda193a55f1b78e  Notification_30123.xls\r\nhttps://unit42.paloaltonetworks.com/travel-themed-phishing/\r\nPage 4 of 11\n\nA list of Dropbox URLs associated with this wave of malspam are:\r\nhxxps://www.dropbox[.]com/s/qmi112rc4ns75eb/Confidential_123.xls?dl=1\r\nhxxps://www.dropbox[.]com/s/pfs4wf7a8mzxxkf/Notification%20%23591501.xls?dl=1\r\nhxxps://www.dropbox[.]com/s/dz2b5ypqvoy7tpa/Reports%2078497.xls?dl=1\r\nhxxps://www.dropbox[.]com/s/azswbhh7gmxouk2/Rep%20%231018.xls?dl=1\r\nhxxps://www.dropbox[.]com/s/myz2ytmvd08vfl4/Invoice%20%2392899.xls?dl=1\r\nhxxps://www.dropbox[.]com/s/66j21yxz64fwfg2/Documentation%20644.xls?dl=1\r\nhxxps://www.dropbox[.]com/s/81pphar6s4e93vz/Detailed%20079.xls?dl=1\r\nhxxps://www.dropbox[.]com/s/yryqu9i368uib62/Report_%23_301.xls?dl=1\r\nhxxps://www.dropbox[.]com/s/1ds4kb2limantm5/Notification_836524.xls?dl=1\r\nhxxps://www.dropbox[.]com/s/yo9cy2y1su23ga1/Rep%20%23621.xls?dl=1\r\nhxxps://www.dropbox[.]com/s/zakw3n6nvxqoyav/Subconract%20415.xls?dl=1\r\nhxxps://www.dropbox[.]com/s/7vgj2bvv3vnd8dj/Note%20%2383008.xls?dl=1\r\nhxxps://www.dropbox[.]com/s/l1bl35aybsvu8wl/Notification_71823.xls?dl=1\r\nhxxps://www.dropbox[.]com/s/myoyguvb1qhrwsk/Reports_6633.xls?dl=1\r\nhxxps://www.dropbox[.]com/s/4xecieojug0y28l/Information%20714353.xls?dl=1\r\nhxxps://www.dropbox[.]com/s/glyefet40tkve8u/Contract%2030964.xls?dl=1\r\nhxxps://www.dropbox[.]com/s/6f1amba84r7sf4a/Inv%204529.xls?dl=1\r\nhxxps://www.dropbox[.]com/s/8y95urd2as2eeu8/Inv%20%23147.xls?dl=1\r\nhxxps://www.dropbox[.]com/s/9wj6fcxxw29sfcp/Contract_724269.xls?dl=1\r\nhxxps://www.dropbox[.]com/s/qu6npuiok79zpeo/Inv_225.xls?dl=1\r\nhxxps://www.dropbox[.]com/s/ckihhm4uaxfi5hs/Report_18392.xls?dl=1\r\nhxxps://www.dropbox[.]com/s/ryyogkwdvwof8rs/Scan%20108.xls?dl=1\r\nhxxps://www.dropbox[.]com/s/5jgm0ktunwiby10/Subconract_848.xls?dl=1\r\nhxxps://www.dropbox[.]com/s/luee4b7upuo2kak/Rep%20%23226186.xls?dl=1\r\nhxxps://www.dropbox[.]com/s/c6rqxbq9ydl2sd1/Reports%20%2348406.xls?dl=1\r\nhxxps://www.dropbox[.]com/s/4jczljfya09ye2o/Notification_30123.xls?dl=1\r\nhxxps://www.dropbox[.]com/s/f62i6djdmb4qm6b/Subconract_1541.xls?dl=1\r\nhxxps://www.dropbox[.]com/s/cvrhnc9h6e9ny1y/Contract_%23_599848.xls?dl=1\r\nhxxps://www.dropbox[.]com/s/5nz7l5ftiu48irm/Fax%20740.xls?dl=1\r\nhxxps://www.dropbox[.]com/s/atagwpkwhmpmvi4/Detailed_%23_670.xls?dl=1\r\nhxxps://www.dropbox[.]com/s/v0hmuvpunssgon3/Note%202365.xls?dl=1\r\nhxxps://www.dropbox[.]com/s/9779leob93657a9/Invoice_%23_76493.xls?dl=1\r\nhxxps://www.dropbox[.]com/s/agx2xx6bbpetdh7/Copy_%23_824.xls?dl=1\r\nhxxps://www.dropbox[.]com/s/l3d6i2x6f2ui9pk/Notice%200118.xls?dl=1\r\nOnce Dropbox was provided Palo Alto Networks threat intelligence, it immediately disabled sharing of those links\r\nand disabled the associated account to prevent further threat actor activity.\r\nThe URL hxxp://go7wallet[.]com/app/plugins/cordova-plugin-statusbar/src/browser/HLn3obcR1vMJZNt.php was\r\nalso contacted as part of the campaign.\r\nTechnical Details About\r\nhttps://unit42.paloaltonetworks.com/travel-themed-phishing/\r\nPage 5 of 11\n\nsoleravacation[.]net/wp-content/plugins/mojo-marketplace-wp-plugin-is-broke/inc/cli/mxq6awnfhnmadd2.php\r\nIn February and March 2021, there was a malspam campaign that comprised emails with Excel attachments to call\r\nsoleravacation[.]net/wp-content/plugins/mojo-marketplace-wp-plugin-is-broke/inc/cli/mxq6awnfhnmadd2.php\r\nand subsequently download the malware DLL to install Dridex.\r\nThe SHA256 values associated with some of the samples identified by Unit 42 researchers are:\r\nHash Filename\r\n0edda7d9dfd825e5e69c1ae55e26adf6e7ade746492f48bff0c0cbcf4c924b84 Attach 05680.xlsm\r\n4dc9b2f11546e5bf8fb9901809a0707ff1e23acdc52742b991ddff18ce03733c Name unknown\r\nbc30505fbd196a16346fc37c84ff8db3491fadc7c1b25e35b92954d570699eac Name unknown\r\nbcaac658e2d7b0a51112b76f75ff678082300a12225ae9226274dbddd94a270c  Invoice 689160.xlsm\r\nc5c34cf419acecfbdb8c63fd603f11cbcf6ef84453bfe27a975f2295acb68be2 Attach 689160.xlsm\r\ne7cef58dba5c455b29b55d4d670449a69708ef17ed2866732177ea3e9fdbb69b Name unknown\r\nff5b57033bb5373fdebfe5efc84adcdd0bdddad382fa753b9c08483742401407 Name unknown\r\nOf note for this particular campaign, the malicious spreadsheets try to connect to five or more URLs to retrieve\r\nDridex, in addition to soleravacation[.]net/wp-content/plugins/mojo-marketplace-wp-plugin-is-broke/inc/cli/mxq6awnfhnmadd2.php.\r\nAbuse of Firebase by Threat Actors\r\nThreat actors have targeted multiple organizations within the travel industry and have used Firebase to host\r\nphishing pages to either target employees working in the travel industry or customers. Some of the organizations\r\nthat have been targeted by Firebase-hosted web applications include an online marketplace for vacation rentals,\r\nupscale hotel chains, resort management companies and airline companies such as Tui.\r\nAs mentioned above, Firebase is backed by Google and supports developers of mobile or web applications,\r\nallowing them to store content in Google Cloud Storage. Unit 42 observed attackers taking advantage of the\r\ninherent legitimacy of the Google Firebase domain to deceive targets and to bypass security filters that block\r\ndomains and files that are known to be malicious. Once Unit 42 notified Google, it immediately removed and\r\nblocked these phishing URLs to prevent further threat actor activity.\r\nA sample of phishing URLs hosted on Firebase include:\r\nURL Purpose\r\nfirebasestorage[.]googleapis[.]com/v0/b/owambe-4ce77.appspot.com/o/arsenaldozens/index%20copy%202.html?Targeting\r\nemployees\r\nhttps://unit42.paloaltonetworks.com/travel-themed-phishing/\r\nPage 6 of 11\n\nalt=media%26token=bbb56e5d-96d2-4da7-a82f-e0bfed8d24c3%26email=creader@palaceresorts.com\r\nworking in the\r\ntravel industry.\r\nehdewbml[.]firebaseapp[.]com/01iofurjdor.html#iuser=corp@tui.ru\r\nTargeting\r\nemployees\r\nworking in the\r\ntravel industry.\r\nHow Attackers Use the Data Gathered Through Phishing\r\nCybercriminals often want to monetize any “data” that they acquire through attacks, and data gathered about\r\ntravelers or organizations operating in the travel sector is no different. We have observed that threat actors\r\nmonetize data by selling stolen account credentials, stolen customer data or stolen payment information.\r\nDuring the pandemic, Unit 42 researchers noticed the supply for travel-themed services and products in\r\nunderground markets drastically decreased (see Figure 5), possibly due to the global travel restrictions. However,\r\nwe expect that both supply and demand will increase as the world reopens for travel.\r\nFigure 5. Travel-themed products and services listed in underground marketplaces, October 2019-\r\nMarch 2021. (Data for later months not available.)\r\nStolen Account Credentials\r\nThere are two main reasons criminals are attracted by data sets containing stolen usernames, emails and\r\npasswords. First, they give criminals access to victims’ mileage or hotel points, which can easily be resold for\r\nprofit. Second, the credentials can easily be used for compromising and taking over victims’ accounts on other\r\nplatforms, if the same credentials were used. With all the potential financial gains from stolen login credentials,\r\nhttps://unit42.paloaltonetworks.com/travel-themed-phishing/\r\nPage 7 of 11\n\nthe strong demand in underground marketplaces encourages threat actors to actively acquire this data through\r\nsocial engineering, brute-forcing or exploiting vulnerable systems.\r\nStolen Customer Data\r\nOrganizations in the travel industry have access to a wealth of data, including personally identifiable information\r\n(PII), payment information and the contact information of customers. In the recent SITA passenger service system\r\nattack, 4.5 million global data subjects were compromised. While researchers attributed the attack to APT41, it\r\nwas observed that financially motivated criminals also showed interest in this data.\r\nThere are three possible ways cybercriminals can abuse this type of data.\r\n1. Identity theft: Using stolen individual information collected from website A to create new accounts on\r\nwebsite B. Because victims are not aware of these accounts on website B, they are less likely to be notified\r\nuntil later.\r\n2. Reconnaissance: Using the information for reconnaissance and setting the stage for spear phishing attacks.\r\n3. Resale of data: Data can easily be resold to other criminals, fraudsters or illicit marketing service\r\nproviders for further abuse.\r\nStolen Payment Information\r\nCybercriminals have been offering a “shadow travel agency” service for years. They reach out to individual\r\ntravelers through various social media or instant messaging platforms such as Telegram, providing flight\r\nbookings, hotel reservations, car rentals, car rides and sightseeing tours with heavily discounted prices. While\r\ntravelers transfer clean money to the “shadow travel agency,” the “shadow travel agency” pays the actual service\r\nproviders such as hotels or airlines with stolen payment information. Due to the time gap in payment processing,\r\nservice providers only realize they have been defrauded when they see the disputed card transactions or\r\nchargebacks weeks or months later.\r\nThere are three groups of victims in this scenario. The first victim group is the payment information owners and\r\nstolen credit card holders. The second victim group is the travelers who were unknowingly a part of the money\r\nlaundering process, giving cybercriminals opportunities to cash out the stolen payment information they\r\npreviously collected. Travel industry organizations are considered the third victim group; they are the most\r\nimpacted in this scheme. Not only did they fail to profit from the products and services they provided, but they\r\nalso had to cover the costs and chargeback penalties, as well as addressing the reputational impacts of the crime.\r\nhttps://unit42.paloaltonetworks.com/travel-themed-phishing/\r\nPage 8 of 11\n\nFigure 6. Abuse of stolen payment information by threat actors.\r\nConclusion\r\nThe travel industry and international travelers have been long-term targets for cybercriminals, suffering financial\r\nand reputational damage. Threat actors not only sell fabricated information but also stolen information that they\r\ngather through phishing attacks. During the pandemic, we noticed that travel-themed products and services offered\r\nby cybercriminals in underground marketplaces decreased significantly, possibly due to low demand. However, as\r\ntravel resumes, we expect travelers and the travel industry to be targeted again due to the high profitability\r\nassociated with this data. Therefore, it is important to be aware of phishing campaigns.\r\nBest practices to protect yourself and your organization from phishing attacks include:\r\nFor individuals:\r\nExercise caution when clicking on any links or attachments contained in suspicious emails, especially those\r\nrelating to one’s account settings or personal information, or otherwise trying to convey a sense of urgency.\r\nVerify the sender’s address for any suspicious emails in your inbox.\r\nDouble-check the URL and security certificate of each website before inputting your login credentials.\r\nReport suspected phishing attempts.\r\nFor organizations:\r\nImplement security awareness training to improve employees’ ability to identify fraudulent emails.\r\nRegularly back up your organization’s data as a defense against ransomware attacks initiated via phishing\r\nemails.\r\nEnforce multi-factor authentication on all business-related logins as an added layer of security.\r\nPalo Alto Networks customers are protected by:\r\nhttps://unit42.paloaltonetworks.com/travel-themed-phishing/\r\nPage 9 of 11\n\nAdvanced URL Filtering: Detects unknown, newly malicious URLs in milliseconds instead of minutes,\r\npreventing successful attacks.\r\nWildFire: All known samples are identified as malware.\r\nAutoFocus: Tracking related activity using the Dridex tag.\r\nAdditional Resources\r\nWorldwide Phishing Attacks Ramped Up at the Peak of Working From Home\r\nFake Websites Used in COVID-19 Themed Phishing Attacks, Impersonating Brands Like Pfizer and\r\nBioNTech\r\nCOVID-19: The Cybercrime Gold Rush of 2020\r\nStudying How Cybercriminals Prey on the COVID-19 Pandemic\r\nAcknowledgements\r\nSpecial thanks to Bradley Duncan, Lucas Hu, Zhanhao Chen and Bennett Woo for all the insightful data and\r\nexperience sharing.\r\nIndicators of Compromise\r\nURLs\r\nsoleravacation[.]net/wp-content/plugins/mojo-marketplace-wp-plugin-is-broke/inc/cli/mxq6awnfhnmadd2.php\r\nanimalairlines[.]org/wp-content/plugins/wordpress-seo/inc/options/tk2xzwhphujenf.php\r\nhxxp://go7wallet.com/app/plugins/cordova-plugin-statusbar/src/browser/HLn3obcR1vMJZNt.php\r\nhxxps://www.dropbox[.]com/s/qmi112rc4ns75eb/Confidential_123.xls?dl=1\r\nhxxps://www.dropbox[.]com/s/pfs4wf7a8mzxxkf/Notification%20%23591501.xls?dl=1\r\nhxxps://www.dropbox[.]com/s/dz2b5ypqvoy7tpa/Reports%2078497.xls?dl=1\r\nhxxps://www.dropbox[.]com/s/azswbhh7gmxouk2/Rep%20%231018.xls?dl=1\r\nhxxps://www.dropbox[.]com/s/myz2ytmvd08vfl4/Invoice%20%2392899.xls?dl=1\r\nhxxps://www.dropbox[.]com/s/66j21yxz64fwfg2/Documentation%20644.xls?dl=1\r\nhxxps://www.dropbox[.]com/s/81pphar6s4e93vz/Detailed%20079.xls?dl=1\r\nhxxps://www.dropbox[.]com/s/yryqu9i368uib62/Report_%23_301.xls?dl=1\r\nhxxps://www.dropbox[.]com/s/1ds4kb2limantm5/Notification_836524.xls?dl=1\r\nhxxps://www.dropbox[.]com/s/yo9cy2y1su23ga1/Rep%20%23621.xls?dl=1\r\nhxxps://www.dropbox[.]com/s/zakw3n6nvxqoyav/Subconract%20415.xls?dl=1\r\nhxxps://www.dropbox[.]com/s/7vgj2bvv3vnd8dj/Note%20%2383008.xls?dl=1\r\nhxxps://www.dropbox[.]com/s/l1bl35aybsvu8wl/Notification_71823.xls?dl=1\r\nhxxps://www.dropbox[.]com/s/myoyguvb1qhrwsk/Reports_6633.xls?dl=1\r\nhxxps://www.dropbox[.]com/s/4xecieojug0y28l/Information%20714353.xls?dl=1\r\nhxxps://www.dropbox[.]com/s/glyefet40tkve8u/Contract%2030964.xls?dl=1\r\nhxxps://www.dropbox[.]com/s/6f1amba84r7sf4a/Inv%204529.xls?dl=1\r\nhxxps://www.dropbox[.]com/s/8y95urd2as2eeu8/Inv%20%23147.xls?dl=1\r\nhttps://unit42.paloaltonetworks.com/travel-themed-phishing/\r\nPage 10 of 11\n\nhxxps://www.dropbox[.]com/s/9wj6fcxxw29sfcp/Contract_724269.xls?dl=1\r\nhxxps://www.dropbox[.]com/s/qu6npuiok79zpeo/Inv_225.xls?dl=1\r\nhxxps://www.dropbox[.]com/s/ckihhm4uaxfi5hs/Report_18392.xls?dl=1\r\nhxxps://www.dropbox[.]com/s/ryyogkwdvwof8rs/Scan%20108.xls?dl=1\r\nhxxps://www.dropbox[.]com/s/5jgm0ktunwiby10/Subconract_848.xls?dl=1\r\nhxxps://www.dropbox[.]com/s/luee4b7upuo2kak/Rep%20%23226186.xls?dl=1\r\nhxxps://www.dropbox[.]com/s/c6rqxbq9ydl2sd1/Reports%20%2348406.xls?dl=1\r\nhxxps://www.dropbox[.]com/s/4jczljfya09ye2o/Notification_30123.xls?dl=1\r\nhxxps://www.dropbox[.]com/s/f62i6djdmb4qm6b/Subconract_1541.xls?dl=1\r\nhxxps://www.dropbox[.]com/s/cvrhnc9h6e9ny1y/Contract_%23_599848.xls?dl=1\r\nhxxps://www.dropbox[.]com/s/5nz7l5ftiu48irm/Fax%20740.xls?dl=1\r\nhxxps://www.dropbox[.]com/s/atagwpkwhmpmvi4/Detailed_%23_670.xls?dl=1\r\nhxxps://www.dropbox[.]com/s/v0hmuvpunssgon3/Note%202365.xls?dl=1\r\nhxxps://www.dropbox[.]com/s/9779leob93657a9/Invoice_%23_76493.xls?dl=1\r\nhxxps://www.dropbox[.]com/s/agx2xx6bbpetdh7/Copy_%23_824.xls?dl=1\r\nhxxps://www.dropbox[.]com/s/l3d6i2x6f2ui9pk/Notice%200118.xls?dl=1\r\nSHA256 and Filenames\r\nHash Filename\r\n2741a353c6d7bc69bf43aef709ead2d6f452e895561943b01ad5359561506092 Rep_598531.xls\r\n5134f99242ea705442aaf857d43c4e689cd117a64fe103353be7f8ec5fd165f4 Name unknown\r\n6846ae3db07fdc05aa310d157f9300bd7d26c33e5e81594dc89b70b47c73ee43 Name unknown\r\n80d50ab8fe6f880270a2d8c3646a2272efed3f7a68140afacb72317a2e0c42c7   Note_7706.xls\r\nb25edec6855cd5c3b74fa1a897d33978a227ccd039ac175c71521ec3655ebe10  Information_24837.xls\r\nf3c837323c135a7d7ed9d03f856c81463abb80174211117f4bda193a55f1b78e  Notification_30123.xls\r\n0edda7d9dfd825e5e69c1ae55e26adf6e7ade746492f48bff0c0cbcf4c924b84 Attach 05680.xlsm\r\n4dc9b2f11546e5bf8fb9901809a0707ff1e23acdc52742b991ddff18ce03733c Name unknown\r\nbc30505fbd196a16346fc37c84ff8db3491fadc7c1b25e35b92954d570699eac Name unknown\r\nbcaac658e2d7b0a51112b76f75ff678082300a12225ae9226274dbddd94a270c  Invoice 689160.xlsm\r\nc5c34cf419acecfbdb8c63fd603f11cbcf6ef84453bfe27a975f2295acb68be2 Attach 689160.xlsm\r\nSource: https://unit42.paloaltonetworks.com/travel-themed-phishing/\r\nhttps://unit42.paloaltonetworks.com/travel-themed-phishing/\r\nPage 11 of 11", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://unit42.paloaltonetworks.com/travel-themed-phishing/" ], "report_names": [ "travel-themed-phishing" ], "threat_actors": [ { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "4d5f939b-aea9-4a0e-8bff-003079a261ea", "created_at": "2023-01-06T13:46:39.04841Z", "updated_at": "2026-04-10T02:00:03.196806Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "WICKED PANDA", "BRONZE EXPORT", "Brass Typhoon", "TG-2633", "Leopard Typhoon", "G0096", "Grayfly", "BARIUM", "BRONZE ATLAS", "Red Kelpie", "G0044", "Earth Baku", "TA415", "WICKED SPIDER", "HOODOO", "Winnti", "Double Dragon" ], "source_name": "MISPGALAXY:APT41", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e698860d-57e8-4780-b7c3-41e5a8314ec0", "created_at": "2022-10-25T15:50:23.287929Z", "updated_at": "2026-04-10T02:00:05.329769Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "APT41", "Wicked Panda", "Brass Typhoon", "BARIUM" ], "source_name": "MITRE:APT41", "tools": [ "ASPXSpy", "BITSAdmin", "PlugX", "Impacket", "gh0st RAT", "netstat", "PowerSploit", "ZxShell", "KEYPLUG", "LightSpy", "ipconfig", "sqlmap", "China Chopper", "ShadowPad", "MESSAGETAP", "Mimikatz", "certutil", "njRAT", "Cobalt Strike", "pwdump", "BLACKCOFFEE", "MOPSLED", "ROCKBOOT", "dsquery", "Winnti for Linux", "DUSTTRAP", "Derusbi", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "2a24d664-6a72-4b4c-9f54-1553b64c453c", "created_at": "2025-08-07T02:03:24.553048Z", "updated_at": "2026-04-10T02:00:03.787296Z", "deleted_at": null, "main_name": "BRONZE ATLAS", "aliases": [ "APT41 ", "BARIUM ", "Blackfly ", "Brass Typhoon", "CTG-2633", "Earth Baku ", "GREF", "Group 72 ", "Red Kelpie ", "TA415 ", "TG-2633 ", "Wicked Panda ", "Winnti" ], "source_name": "Secureworks:BRONZE ATLAS", "tools": [ "Acehash", "CCleaner v5.33 backdoor", "ChinaChopper", "Cobalt Strike", "DUSTPAN", "Dicey MSDN", "Dodgebox", "ForkPlayground", "HUC Proxy Malware (Htran)" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434031, "ts_updated_at": 1775791941, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/eb3d5540700ba477687d41226b6c3072a7e7d17c.pdf", "text": "https://archive.orkl.eu/eb3d5540700ba477687d41226b6c3072a7e7d17c.txt", "img": "https://archive.orkl.eu/eb3d5540700ba477687d41226b6c3072a7e7d17c.jpg" } }