Cybersecurity researchers have called attention to a large-scale phishing campaign targeting the hospitality industry that lures hotel managers to ClickFix-style pages and collects credentials by deploying malware such as PureRAT.
“The attacker’s modus operandi included using compromised email accounts to send malicious messages to multiple hotel properties,” Sequoia said. “This campaign utilizes spear-phishing emails impersonating Booking.com to redirect victims to malicious websites and employs ClickFix social engineering tactics to deploy PureRAT.”
The ultimate goal of this campaign is to steal credentials from compromised systems, granting threat actors unauthorized access to reservation platforms such as Booking.com and Expedia, and then sell them on cybercrime forums or use them to commit fraud by sending fraudulent emails to hotel customers.
This activity has been active since at least April 2025 and is assessed as active as of early October 2025. This is one of several campaigns in which targeted attacks have been observed, including a series of attacks documented by Microsoft in early March of this year.
In the latest wave analyzed by the French cybersecurity firm, email messages are sent from compromised email accounts, targeting multiple hotels across multiple countries, tricking recipients into clicking on a fake link, and triggering a redirect chain to a ClickFix page disguised as a reCAPTCHA challenge to “secure your connection.”
“When accessed, the URL redirects the user to a web page that hosts JavaScript with an asynchronous function that, after a short delay, checks to see if the page has been rendered inside an iframe,” Sekoia explained. “The purpose is to redirect the user to the same URL via HTTP.”
This allows the victim to copy and execute malicious PowerShell commands that collect system information and download a ZIP archive. This command includes the binaries that ultimately configure persistence and load PureRAT (also known as zgRAT) via DLL sideloading.
This modular malware supports a wide range of functionality, including remote access, mouse and keyboard control, webcam and microphone capture, keylogging, file upload/download, traffic proxy, data exfiltration, and remote execution of commands and binaries. It is also protected by .NET Reactor to complicate reverse engineering, and persistence is also established on the host by creating a Run registry key.
Additionally, the campaign has been found to communicate legitimate reservation details to hotel customers via WhatsApp and email, while also instructing them to click on a link and verify their bank card details as part of the confirmation process to avoid cancellation of their reservation.
Unsuspecting users who click on the link are directed to a fake landing page that mimics Booking.com or Expedia, but is actually designed to steal card information.
The attackers behind this scheme are credited with obtaining information about Booking.com property managers from criminal forums such as LolzTeam, and in some cases offering payments based on a percentage of profits. The retrieved details are used for social engineering and infecting the system with infostealers or remote access trojans (RATs). This task is selectively delegated to troughers, dedicated experts in charge of malware distribution.
“Booking.com extranet accounts play a key role in fraudulent activities targeting the hospitality industry,” Sequoia said. “As a result, the data collected from these accounts has become a lucrative commodity and is regularly offered for sale on illicit markets.”
“The attackers exchange these accounts as authentication cookies or login/password pairs extracted from the infostealer’s logs, as this collected data typically originates from malware compromises on hotel managers’ systems.”
The company said it observed a Telegram bot purchasing Booking.com logs, as well as a threat actor named “moderator_booking” promoting Booking.com’s log purchasing service to retrieve logs related to Booking.com, Expedia, Airbnb, and Agoda. It claims that logs will be manually checked within 24-48 hours.
This is typically done using log checker tools, which are available on cybercrime forums for as low as $40. This tool authenticates compromised accounts through a proxy and verifies that the harvested credentials are still valid.
“The proliferation of cybercrime services supporting each stage of the Booking.com attack chain reflects the specialization of this fraud model,” Sequoia said. “By adopting an ‘as-a-service’ model, cybercriminals lower barriers to entry and maximize profits.”
The development comes as Push Security details updates to its ClickFix social engineering tactics. It becomes more persuasive to users by incorporating an embedded video, countdown timer, and counter for “authenticated users in the last hour,” and also includes instructions to increase the perception of trustworthiness and entice users to complete the check without thinking too much.
Another notable update is that the page can adjust itself to display instructions that match the victim’s operating system. Depending on the device you’re visiting from, Windows[ファイル名を指定して実行]You’ll be prompted to open a dialog or macOS Terminal app. Pages are also increasingly capable of automatically copying malicious code to a user’s clipboard, a technique known as clipboard hijacking.
“ClickFix pages are becoming increasingly sophisticated, increasing the likelihood that victims will fall for social engineering,” Push Security said. “ClickFix payloads are becoming more diverse and finding new ways to circumvent security controls.”
Source link
