- ClickFix Phishing Campaign Targets Hotels and Guests with PureRAT Malware
- Attackers exploit compromised Booking.com accounts, sell stolen credentials on dark web forums
- Guests were tricked into accessing fake Booking/Expedia sites, losing their login and payment card details.
Experts have warned that hotels and their guests are being targeted by a highly sophisticated ClickFix campaign that aims to deliver dangerous malware, steal login credentials and conduct fraudulent electronic transactions.
Cybersecurity researchers Sekoia revealed that the attackers would first use random, compromised email accounts to send phishing messages to hotels and different Booking.com account holders. The link in the message triggers a redirect chain that ultimately leads to a fake reCAPTCHA challenge, designed to get victims to download and install a remote access Trojan called PureRAT.
Attackers are careful to make sure they target the right people, Sekoia explained. On dark web forums such as LolzTeam, they purchase information about property managers from Booking.com and, in some cases, even offer a commission in exchange for valid contact information.
Steal credit card data
“Booking.com extranet accounts play a crucial role in fraudulent schemes targeting the hotel industry,” Sekoia researchers explained.
“Consequently, data collected from these accounts has become a lucrative commodity regularly offered for sale in illicit markets.”
PureRAT is capable of all sorts of evil, from granting remote access to allowing attackers to control the mouse and keyboard. You can also control the webcam and microphone to capture sound and video, record keystrokes, and upload/download additional files.
However, the attackers appear to use it to locate hotel guests. Then they start mailing them, as well as sending personalized WhatsApp messages, which contain real booking details to make the scams look legitimate.
These messages also contain phishing links that redirect victims to fake Booking or Expedia sites where, if recipients log in, their credentials as well as their credit card information are stolen.
We do not know how many hotels or people were compromised by this campaign; However, Sekoia says it has been active since at least April 2025 and operational since early October 2025.
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds. Be sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp also.
