Cybersecurity researchers have called attention to a massive phishing campaign targeting the hospitality industry. This campaign lures hotel managers to malicious ClickFix style pages and harvests their credentials by deploying malware like PureRAT.
Sekoia researchers stated that the attacker's method involved using a compromised email account to send malicious messages to multiple hotel establishments. This campaign leverages spear phishing emails that impersonate Booking.com to redirect victims to malicious websites, employing the ClickFix social engineering tactic to deploy PureRAT.
Threat Campaign Objectives
The campaign's ultimate goal is to steal credentials from compromised systems. These credentials grant threat actors unauthorized access to booking platforms like Booking.com or Expedia. The stolen data is then either sold on cybercrime forums or used to send fraudulent emails to hotel customers, facilitating financial fraud.
The activity is believed to be active since at least April 2025 and remained operational as of early October 2025. This is one of several campaigns observed targeting booking platform accounts, including a set of attacks documented by Microsoft earlier this March.
Infection Vector and Malware
In the latest wave analyzed by the French cybersecurity company, email messages are sent from a compromised account, targeting hotels across multiple countries. The emails trick recipients into clicking on bogus links that trigger a redirection chain to a ClickFix page. This page presents a supposed reCAPTCHA challenge designed to "ensure the security of your connection."
Sekoia explained that upon visiting, the URL redirects users to a web page hosting JavaScript. This code includes an asynchronous function that, after a brief delay, checks whether the page was displayed inside an iFrame. The objective is to redirect the user to the same URL, but over HTTP.
This ultimately causes the victim to copy and execute a malicious PowerShell command. This command gathers system information and downloads a ZIP archive. The archive, in turn, contains a binary that establishes persistence and loads PureRAT (also known as zgRAT) through DLL side loading.
The modular PureRAT malware supports a wide range of features. These include remote access, mouse and keyboard control, webcam and microphone capture, keylogging, file upload/download, traffic proxying, data exfiltration, and remote execution of commands or binaries. To complicate reverse engineering, the malware is protected by .NET Reactor and establishes persistence on the host by creating a Run registry key.
Customer Fraud and Credential Trade
The campaign also features a secondary approach where threat actors contact hotel customers via WhatsApp or email using legitimate reservation details. They instruct the customers to click on a link as part of a verification process, asking them to confirm their banking card details to prevent their bookings from being canceled. Unsuspecting users who click are taken to a bogus landing page that mimics Booking.com or Expedia, which is designed to steal their card information.
It is assessed that the threat actors behind the scheme procure information about Booking.com administrators from criminal forums like LolzTeam, sometimes offering payment based on a percentage of the profit. The acquired details are then used to social engineer victims into infecting their systems with an infostealer or a remote access trojan (RAT). This task is selectively outsourced to traffers, who are specialists dedicated to malware distribution.
Sekoia noted that Booking.com extranet accounts play a crucial role in fraudulent schemes targeting the hospitality industry. Consequently, data harvested from these accounts has become a lucrative commodity, regularly offered for sale in illicit marketplaces. Attackers trade these accounts as authentication cookies or login and password pairs extracted from infostealer logs, given that this harvested data typically originates from malware compromise on hotel administrators' systems.
The company observed a Telegram bot used to buy Booking.com logs, as well as a threat actor named "moderator_booking" advertising a log purchase service that includes Booking.com, Expedia, Airbnb, and Agoda. They claim the logs are manually checked within 24 to 48 hours. This is typically accomplished by log checker tools, which are available for as low as $40 on cybercrime forums. These tools authenticate compromised accounts via proxies to ensure the harvested credentials are still valid. Sekoia concluded that the proliferation of cybercrime services supporting each step of the Booking.com attack chain reflects a professionalization of this fraud model. By adopting the "as-a-service" model, cybercriminals lower entry barriers and maximize profits.
The development coincides with Push Security detailing an update to the ClickFix social engineering tactic that makes it even more convincing to users. The update includes an
embedded video, a countdown timer, and a counter for "users verified in the last hour" along with the instructions. These elements increase the perceived authenticity and trick the user into completing the check without thinking too much. Another notable update is the page's ability to adapt itself to display instructions matching the victim's operating system, asking them to open the Windows Run dialog or the macOS Terminal app depending on the device they are visiting from. The pages are also increasingly equipped to automatically copy the malicious code to the user's clipboard, a technique called clipboard hijacking.
Push Security warned that ClickFix pages are becoming increasingly sophisticated, making it more likely that victims will fall for the social engineering. They added that ClickFix payloads are becoming more varied and are finding new ways to evade security controls.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
