Analysis byMaria Jasmine Policarpio

A new malspam campaign has been discovered delivering Aurora Stealer through inquiries targeting Hotel Companies. Aurora Stealer is an information-stealer with remote access capabilities. The email deceives its recipient by posing as a lost elderly person who is traveling alone and is seeking help in using navigation technology. Spammers aim to lure the recipient into clicking a suspicious link embedded in the email showing alleged photos of their current location and some used phony hotel inquiry threads to avoid suspicion. The email was sent using a free mail address, with the body of the mail containing a shortened filesharing link. Once clicked, it will redirect the recipient to download Aurora Stealer.










To prevent system infection, we recommend users refrain from opening unsolicited emails, especially those with unknown links and attachments. The spam is detected and blocked by Trend Micro email security solutions.

Related URLs:
_hxxp://bit[.]ly/Pawel-Tomala_Google-Maps = 79. Disease Vector
_hxxps://bit[.]ly/INFORMATIONME = 78. Malware Accomplice
_hxxp://bit[.]ly/Photo_MrSalvador_Farrels = 79. Disease Vector
_hxxp://bit[.]ly/Photo_MrSalvador_Farrels = 79. Disease Vector
_hxxps://cutt[.]ly/Google_Maps_Samantha-Anderson-Photos = 79. Disease Vector
_hxxp://bit[.]ly/photos-help = 78. Malware Accomplice
_hxxp://bit[.]ly/photos-help = 78. Malware Accomplice
_hxxp://bit[.]ly/photos-help = 78. Malware Accomplice
_hxxp://bit[.]ly/photos-help = 78. Malware Accomplice
_hxxp://bitly[.]ws/zniX = 79. Disease Vector
_hxxp://bit[.]ly/Screenshot_Maps = 79. Disease Vector
_hxxps://bit[.]ly/info_about_route = 78. Malware Accomplice
_hxxps://cutt[.]ly/o29Jg7q = 79. Disease Vector
_hxxps://bit[.]ly/PhotoMrSalvadorFarrels = 79. Disease Vector
_hxxps://bit[.]ly/DocumentSherikaChipp = 79. Disease Vector
 SPAM BLOCKING DATE / TIME: 27 de января de 2023 GMT-8
 TMASE
  • TMASE Engine: :
  • Patrón TMASE: :7412