Large-Scale ClickFix Phishing Attacks Target Hotel Systems with PureRAT Malware - The Hacker News

Large-Scale ClickFix Phishing Attacks Target Hotel Systems with PureRAT Malware Ravie LakshmananNov 10, 2025Malware / Cybercrime Cybersecurity researchers have called attention to a massive phishing campaign targeting the hospitality industry that lures hotel managers to ClickFix-style pages and harvest their credentials by deploying malware like PureRAT. "The attacker's modus operandi involved using a compromised email account to send malicious messages to multiple hotel establishments," Sekoia said. "This campaign leverages spear-phishing emails that impersonate Booking.com to redirect victims to malicious websites, employing the ClickFix social engineering tactic to deploy PureRAT." The end goal of the campaign is to steal credentials from compromised systems that grant threat actors unauthorized access to booking platforms like Booking.com or Expedia, which are then either sold on cybercrime forums or used to send fraudulent emails to hotel customers to conduct fraud. The activity is assessed to be active since at least April 2025 and operational as of early October 2025. It's one of the several campaigns that has been observed targeting booking platform accounts, including a set of attacks that was documented by Microsoft earlier this March. In the latest wave analyzed by the French cybersecurity company, emails messages are sent from a compromised email account to target several hotels across multiple countries, tricking recipients into clicking on bogus links that triggers a redirection chain to a ClickFix page with a supposed reCAPTCHA challenge to "ensure the security of your connection." "Upon visiting, the URL redirects users to a web page hosting a JavaScript with an asynchronous function that, after a brief delay, checks whether the page was displayed inside an iframe," Sekoia explained. "The objective is to redirect the user to the same URL but over HTTP." This causes the victim to copy and execute a malicious PowerShell command that gathers system information and downloads a ZIP archive, which, in turn, contains a binary that ultimately sets up persistence and loads PureRAT (aka zgRAT) by means of DLL side-loading. The modular malware supports a wide range of features, such as remote access, mouse and keyboard control, webcam and microphone capture, keylogging, file upload/download, traffic proxying, data exfiltration, and remote execution of commands or binaries. It's also protected by .NET Reactor to complicate reverse engineering and also establishes persistence on the host by creating a Run registry key. Furthermore, the campaign has been found to approach hotel customers via WhatsApp or email with legitimate reservation details, while instructing them to click on a link as part of a verification process and confirm their banking card details in order to prevent their bookings from being canceled. Unsuspecting users who end up clicking on the link are taken to a bogus landing page that mimics Booking.com or Expedia, but, in reality, is designed to steal their card information.  It's assessed that the threat actors behind the scheme are procuring information about administrators of Booking.com establishments from criminal forums like LolzTeam, in some cases even offering a payment based on a percentage of the profit. The acquired details are then used to social engineer them into infecting their systems with an infostealer or remote access trojan (RAT). This task is selectively outsourced to traffers, who are dedicated specialists in charge of malware distribution. "Booking.com extranet accounts play a crucial role in fraudulent schemes targeting the hospitality industry," Sekoia said. "Consequently, data harvested from these accounts has become a lucrative commodity, regularly offered for sale in illicit marketplaces." "Attackers trade these accounts as authentication cookies or login/password pairs extracted from infostealer logs, given that this harvested data typically originates from malware compromise on hotel administrators' systems." The company said it observed a Telegram bot to buy Booking.com logs, as well as a threat actor named "moderator_booking" advertising a Booking log purchase service to obtain logs associated with Booking.com, Expedia, Airbnb, and Agoda. They claim the logs are manually checked within 24-48 hours. This is typically accomplished by means of log checker tools, available for as low as $40 on cybercrime forums, that authenticate compromised accounts via proxies to ensure that the harvested credentials are still valid. "The proliferation of cybercrime services supporting each step of the Booking.com attack chain reflects a professionalization of this fraud model," Sekoia said. "By adopting the 'as-a-service' model, cybercriminals lower entry barriers and maximise profits." The development comes as Push Security detailed an update to the ClickFix social engineering tactic that makes it even more convincing to users by including an embedded video, countdown timer, and a counter for "users verified in the last hour" along with the instructions to increase the perceived authenticity and trick the user into completing the check without thinking too much. Another notable update is that the page is capable of adapting itself to display instructions that match the victim's operating system, asking them to open the Windows Run dialog or the macOS Terminal app depending on the device they are visiting from. The pages are also increasingly equipped to automatically copy the malicious code to the user's clipboard, a technique called clipboard hijacking. "ClickFix pages are becoming increasingly sophisticated, making it more likely that victims will fall for the social engineering," Push Security said. "ClickFix payloads are becoming more varied and are finding new ways to evade security controls." Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share SHARE  Credential Theft, Cybercrime, cybersecurity, Infostealer, Malware, Phishing, Remote Access Trojan, social engineering, Threat Intelligence Trending News ThreatsDay Bulletin: DDR5 Bot Scalping, Samsung TV Tracking, Reddit Privacy Fine and More New Chrome Vulnerability Let Malicious Extensions Escalate Privileges via Gemini Panel Starkiller Phishing Suite Uses AitM Reverse Proxy to Bypass Multi-Factor Authentication Open-Source CyberStrikeAI Deployed in AI-Driven FortiGate Attacks Across 55 Countries ⚡ Weekly Recap: Qualcomm 0-Day, iOS Exploit Chains, AirSnitch Attack and Vibe-Coded Malware Microsoft Reveals ClickFix Campaign Using Windows Terminal to Deploy Lumma Stealer 149 Hacktivist DDoS Attacks Hit 110 Organizations in 16 Countries After Middle East Conflict Anthropic Finds 22 Firefox Vulnerabilities Using Claude Opus 4.6 AI Model Cisco Confirms Active Exploitation of Two Catalyst SD-WAN Manager Vulnerabilities ClawJacked Flaw Lets Malicious Sites Hijack Local OpenClaw AI Agents via WebSocket APT28 Tied to CVE-2026-21513 MSHTML 0-Day Exploited Before Feb 2026 Patch Tuesday OpenAI Codex Security Scanned 1.2 Million Commits and Found 10,561 High-Severity Issues Google Confirms CVE-2026-21385 in Qualcomm Android Component Exploited Coruna iOS Exploit Kit Uses 23 Exploits Across Five Chains Targeting iOS 13–17.2.1 Load More ▼ Popular Resources 19,053 Confirmed Breaches in 2025 – Key Trends and Predictions for 2026 Read CYBER360 2026: From Zero Trust Limits to Data-Centric Security Paths Self-Hosted WAF: Block SQLi, XSS, and Bots Before They Reach Your Apps Identity Controls Checklist: Find Missing Protections in Apps