Cybersecurity researchers have called attention to a massive phishing campaign targeting the hospitality industry that lures hotel managers to ClickFix-style pages and harvest their credentials by deploying malware like PureRAT.
"The attacker's modus operandi involved using a compromised email account to send malicious messages to multiple hotel establishments," Sekoia said. "This campaign leverages spear-phishing emails that impersonate Booking.com to redirect victims to malicious websites, employing the ClickFix social engineering tactic to deploy PureRAT."
The end goal of the campaign is to steal credentials from compromised systems that grant threat actors unauthorized access to booking platforms like Booking.com or Expedia, which are then either sold on cybercrime forums or used to send fraudulent emails to hotel customers to conduct fraud.
The activity is assessed to be active since at least April 2025 and operational as of early October 2025. It's one of the several campaigns that has been observed targeting, including a set of attacks that was documented by Microsoft earlier this March.
In the latest wave analyzed by the French cybersecurity company, emails messages are sent from a compromised email account to target several hotels across multiple countries, tricking recipients into clicking on bogus links that triggers a redirection chain to a ClickFix page with a supposed reCAPTCHA challenge to "ensure the security of your connection."
"Upon visiting, the URL redirects users to a web page hosting a JavaScript with an asynchronous function that, after a brief delay, checks whether the page was displayed inside an iframe," Sekoia explained. "The objective is to redirect the user to the same URL but over HTTP."
This causes the victim to copy and execute a malicious PowerShell command that gathers system information and downloads a ZIP archive, which, in turn, contains a binary that ultimately sets up persistence and loads PureRAT (aka zgRAT) by means of DLL side-loading.
The modular malware supports a wide range of features, such as remote access, mouse and keyboard control, webcam and microphone capture, keylogging, file upload/download, traffic proxying, data exfiltration, and remote execution of commands or binaries. It's also protected by .NET Reactor to complicate reverse engineering and also establishes persistence on the host by creating a Run registry key.
Furthermore, the campaign has been found to approach hotel customers via WhatsApp or email with legitimate reservation details, while instructing them to click on a link as part of a verification process and confirm their banking card details in order to prevent their bookings from being canceled.
Unsuspecting users who end up clicking on the link are taken to a bogus landing page that mimics Booking.com or Expedia, but, in reality, is designed to steal their card information.
It's assessed that the threat actors behind the scheme are procuring information about administrators of Booking.com establishments from criminal forums like LolzTeam, in some cases even offering a payment based on a percentage of the profit. The acquired details are then used to social engineer them into infecting their systems with an infostealer or remote access trojan (RAT). This task is selectively outsourced to traffers, who are dedicated specialists in charge of malware distribution.
"Booking.com extranet accounts play a crucial role in fraudulent schemes targeting the hospitality industry," Sekoia said. "Consequently, data harvested from these accounts has become a lucrative commodity, regularly offered for sale in illicit marketplaces."
"Attackers trade these accounts as authentication cookies or login/password pairs extracted from infostealer logs, given that this harvested data typically originates from malware compromise on hotel administrators' systems."
The company said it observed a Telegram bot to buy Booking.com logs, as well as a threat actor named "moderator_booking" advertising a Booking log purchase service to obtain logs associated with Booking.com, Expedia, Airbnb, and Agoda. They claim the logs are manually checked within 24-48 hours.
This is typically accomplished by means of log checker tools, available for as low as $40 on cybercrime forums, that authenticate compromised accounts via proxies to ensure that the harvested credentials are still valid.
"The proliferation of cybercrime services supporting each step of the Booking.com attack chain reflects a professionalization of this fraud model," Sekoia said. "By adopting the 'as-a-service' model, cybercriminals lower entry barriers and maximise profits."
The development comes as Push Security detailed an update to the ClickFix social engineering tactic that makes it even more convincing to users by including an embedded video, countdown timer, and a counter for "users verified in the last hour" along with the instructions to increase the perceived authenticity and trick the user into completing the check without thinking too much.
Another notable update is that the page is capable of adapting itself to display instructions that match the victim's operating system, asking them to open the Windows Run dialog or the macOS Terminal app depending on the device they are visiting from. The pages are also increasingly equipped to automatically copy the malicious code to the user's clipboard, a technique called clipboard hijacking.
"ClickFix pages are becoming increasingly sophisticated, making it more likely that victims will fall for the social engineering," Push Security said. "ClickFix payloads are becoming more varied and are finding new ways to evade security controls."
