Our blog post provides an overview of the services facilitating this modus operandi and the market for infostealer logs tied to booking platforms, including underground activities around Booking[.]com data on Russian-speaking cybercrime forums.

In this report, we analysed a widespread, persistent campaign distributing the PureRAT malware via the #ClickFix social engineering tactic and emails impersonating Booking[.]com.

We also detailed the fraud scheme targeting hotel customers.

Attackers target hotel establishments to harvest credentials that grant access to booking platforms.

Those credentials are used to launch personalised fraud campaigns against hotel guests, impersonating billing services and tricking them into paying twice for their reservation.

By correlating #Office365 events with Entra ID sign-in logs, we’ve mapped each bit in the UserAuthenticationMethod field to its corresponding authentication factor—Password Hash Sync, Windows Hello for Business, Passkeys, SMS sign-in, and more.

🐻❄️ These exploitations led to the deployment of an undocumented TLS backdoor we dubbed the “PolarEdge Backdoor.”
🔬 This follow-up provides a detailed analysis of the backdoor, including the anti-analysis techniques it employs.

🔙 In early 2025, we discovered the PolarEdge botnet through our honeypots.
🎯 This botnet has been active since at least November 2023 and exploits multiple vulnerabilities across a wide range of edge devices, notably Asus, QNAP, and Synology.

🇪🇺 Target profiles: campaigns hit Belgian numbers (+32) heavily and also France, Sweden, Italy and beyond
🕸️ Infrastructure insights: tracking domains and IP clusters reveals a persistent, multi-regional smishing operation

Key takeaways:

✉️ API exploitation: attackers leverage an exposed /cgi endpoint to push malicious SMS without authentication
🌐 Scale of exposure: over 18,000 routers accessible on the internet; 572 confirmed vulnerable

This report complements @_CERT_UA’s findings and arms #SOC teams with fresh #IOCs, #YARA rules and detailed behavioural indicators. We thank our trusted partner for his time and insights into this subject.

🛠️ The infection chain is sophisticated and highly likely to be reused in the coming years thanks to its robust design.

🌐 As usual, APT28 uses legitimate third-party services in its execution chain, such as Koofr or icedrive, or more recently Filen.

🎯 The campaign’s goal is to gather cyber intelligence on frontline combatants by targeting administrative and logistics personnel.

📃 APT28 distributed weaponised Office documents masquerading as Ukrainian military admin forms to harvest cyber-military intelligence.

🕷️ Attackers deploy a custom backdoor dubbed BeardShell using a modified Covenant Grunt stager.

🇷🇺 The latest report from Sekoia Threat Detection & Research (TDR) team delves into a campaign by #APT28 identified by intelligence services as operated by #GRU. Key takeaways:

Key findings & takeaways:

🗺️ Historic approach of CSV development and industrialisation

🎯 Techniques and infection chain process for commercial spyware

🧲 Tactical recommendations for detection, response & policy

In this report, you’ll discover how spyware vendors deploy:

🛠️ Covert infection techniques & stealthy C2 infrastructures

🎯 0-day exploits and 0-click infection methods to evade defenses

🕵️ A broad range of strategies to continue their activity despite scandals

💡 Curious how the full infection chain works? We have broken it all down for you here 😈👇

blog.sekoia.io/clickfake-in...