A highly targeted phishing campaign has been hitting hotel guests across Luxembourg. Originally flagged by the Computer Incident Response Center Luxembourg (CIRCL), this campaign stands out not because of advanced malware, but because of its impeccable contextual credibility . Threat actors aren't guessing targets; they are hitting actual hotel guests on WhatsApp with exact, legitimate booking details to steal credit card data. As part of a technical review into the infrastructure, we analyzed a recent Indicator of Compromise (IoC) linked to this campaign: [https://stay-hotel607923.com](https://stay-hotel607923.com) . Here is the deep dive into how this attack works, the infrastructure behind it, and how to track it. The Attack Workflow: Smishing with Context Most phishing campaigns rely on volume, hoping a small fraction of a massive email list bites. This campaign relies on precision. The Data Exposure: CIRCL assesses that the campaign's source data may originate from servi...
Reverse engineering for bug bounties is a thrilling adventure, often leading down rabbit holes of code and unexpected discoveries. My recent journey involved the Spotify installer, a quest to uncover a potential DLL hijacking vulnerability. This post will walk you through the process, the tools, the roadblocks, and the ultimate conclusions, highlighting key lessons learned along the way. Understanding DLL Hijacking: The Goal At its core, DLL (Dynamic Link Library) hijacking is a common vulnerability where an application attempts to load a legitimate DLL, but a malicious one is loaded instead. This often happens because applications search for DLLs in a specific order (e.g., current directory first, then system directories). If a malicious DLL with the expected name is placed in an earlier search path, the application loads it, allowing an attacker to execute arbitrary code within the application's context. Tools of the Trade Our investigation relied on a suite of powerful tools: G...