- A widespread phishing campaign is targeting hotel managers with ClickFix-style pages to steal credentials and deploy Malware.
- The malware involved, PureRAT, allows remote control over infected systems including data theft and surveillance.
- Attackers use compromised email accounts to send spear-phishing messages that mimic Booking.com and redirect victims to fraudulent sites.
- Malicious actors also contact hotel customers via WhatsApp or email using real reservation details to steal payment card information.
- A growing underground market sells stolen Booking.com accounts and uses automated tools to verify compromised credentials.
A large phishing campaign has targeted the hospitality sector since at least April 2025, using compromised email accounts to send malicious messages to multiple hotels worldwide. The attackers impersonate Booking.com in spear-phishing emails that redirect recipients to fake ClickFix-style web pages designed to harvest credentials and install malware.
The campaign deploys PureRAT, also known as zgRAT, a remote access trojan loaded through DLL side-loading. This malware enables extensive control over infected devices, including mouse and keyboard inputs, webcam and microphone recording, keylogging, file transfers, data exfiltration, and remote command execution. It also establishes persistence by adding registry keys and uses .NET Reactor for protection against reverse engineering.
Victims are tricked into following instructions on phishing pages that deploy a malicious PowerShell script. The script gathers system details and downloads an archive containing malware binaries. These pages often simulate reCAPTCHA challenges and adapt to the victim’s operating system, prompting them to open programs like the Windows Run dialog or macOS Terminal, sometimes copying malicious commands directly to the clipboard.
Beyond targeting hotel staff, attackers contact hotel customers via WhatsApp or email with legitimate reservation information. Customers are urged to verify their bookings by clicking links that lead to counterfeit Booking.com or Expedia sites aimed at stealing payment card data.
Threat actors obtain administrator details for Booking.com properties from criminal forums such as LolzTeam, sometimes offering payments based on profits. These credentials are sold in underground markets or used to send fraudulent emails. There are services advertised on platforms like Telegram offering access to Booking.com, Expedia, Airbnb, and Agoda account logs, which are manually checked using automated log checker tools costing as little as $40 to confirm credential validity.
According to Sekoia, the thriving cybercrime ecosystem and the use of Booking.com accounts as commodities have led to professionalization in this fraud model. Enhancements to the ClickFix social engineering tactic include embedded videos, countdown timers, user verification counters, and clipboard hijacking to increase effectiveness, as outlined by Push Security.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
Previous Articles:
- BRICS Weighs Article 6 vs Independent Path for Carbon Markets
- Tesla Cybertruck Chief Exits Amid Recalls, Lawsuits, Slowing Sales
- Stablecoins Fail Inflation Test; Flatcoins Aim to Preserve Value
- Long-Term Bitcoin Holders Shift to ETFs, Diversify Crypto Portfolios
- Shiba Inu Faces Resistance, Long Road Ahead to $1 Target
