- ClickFix phishing campaign targets hotels and guests with PureRAT malware
- Attackers exploit compromised Booking.com accounts and sell stolen credentials on dark web forums
- Guests tricked into fake Booking/Expedia sites, losing login and payment card data
Hotels and their guests are being targeted by a highly sophisticated ClickFix campaign aiming to deliver dangerous malware, steal login credentials, and make fraudulent wire transactions, experts have warned.
Cybersecurity researchers Sekoia revealed the attackers would first use random, compromised email accounts to mail hotels and different Booking.com account holders with a phishing message. The link in the message triggers a redirection chain that ultimately leads to a fake reCAPTCHA challenge, designed to get the victims to download and install a remote access trojan called PureRAT.
The attackers are careful to make sure they’re targeting the right people, Sekoia explained. On dark web forums, such as LolzTeam, they purchase information about Booking.com establishment administrators and, in some scenarios, even offer a cut in exchange for valid contact information.
Stealing credit card data
“Booking.com extranet accounts play a crucial role in fraudulent schemes targeting the hospitality industry,” Sekoia’s researchers explained.
“Consequently, data harvested from these accounts has become a lucrative commodity, regularly offered for sale in illicit marketplaces.”
PureRAT is capable of all sorts of nasties – from granting remote access, to allowing attackers to control the mouse and the keyboard. It can also control the webcam and microphone to capture both sound and video, can log keystrokes, and upload/download additional files.
The attackers seem to be using it, however, to map out the hotel’s customers. Then, they start mailing them, as well as sending personalized WhatsApp messages, containing real reservation details to make the scams appear legitimate.
These messages also contain phishing links that redirect the victims to fake Booking or Expedia sites where, if the recipients log in, their credentials – as well as credit card information – is nabbed.
We don’t know how many hotels, or people, were compromised by this campaign, however Sekoia says it has been active since at least April 2025, and operational as of early October 2025.
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.
