A highly targeted phishing campaign has been hitting hotel guests across Luxembourg. Originally flagged by the Computer Incident Response Center Luxembourg (CIRCL), this campaign stands out not because of advanced malware, but because of its impeccable contextual credibility . Threat actors aren't guessing targets; they are hitting actual hotel guests on WhatsApp with exact, legitimate booking details to steal credit card data. As part of a technical review into the infrastructure, we analyzed a recent Indicator of Compromise (IoC) linked to this campaign: [https://stay-hotel607923.com](https://stay-hotel607923.com) . Here is the deep dive into how this attack works, the infrastructure behind it, and how to track it. The Attack Workflow: Smishing with Context Most phishing campaigns rely on volume, hoping a small fraction of a massive email list bites. This campaign relies on precision. The Data Exposure: CIRCL assesses that the campaign's source data may originate from servi...
Our journey into dissecting the Spotify installer has been a series of interesting detours. After hitting a dead end trying to intercept the initial download traffic (thanks, QUIC encryption!), we knew it was time for a pivot. If the installer was "downloading," then by definition, it had to be writing data to our local disk. This led us to a different kind of hunt: a forensic examination of the installer's file system activities. The Pivot: From Network Packets to Filesystem Footprints The network analysis had revealed that SpotifySetup.exe made a successful DNS query for apresolve.spotify.com , which resolved to 35.186.224.24 . And while we saw it attempting both QUIC (HTTP/3) and traditional TCP/TLSv1.3 connections, the QUIC traffic remained an impenetrable "protected payload." Trying to build a QUIC proxy felt like a rabbit hole deeper than we wanted to go. So, the question became: If we can't see what it's downloading over the network, can we see ...