PureRAT Malware Campaign Targets Hotels and Guests via ClickFix Phishing
A sophisticated cybercrime operation has targeted the hospitality sector by compromising hotel systems through phishing emails that impersonate Booking.com communications. Attackers use the ClickFix social engineering technique to trick hotel staff into clicking malicious links or copying and pasting PowerShell commands, which results in the installation of PureRAT malware. Once installed, PureRAT provides attackers with full remote access to hotel systems, enabling them to steal professional login credentials for booking platforms and access sensitive guest reservation data. The campaign, active since April 2025, leverages both direct email phishing and drive-by downloads to infect hotel staff, with compromised hotel account access often sold on underground forums.
With access to genuine hotel Booking.com accounts, the attackers launch highly convincing phishing attacks against travelers, using stolen reservation and contact details to increase the credibility of their messages. Victims are contacted via WhatsApp or email and directed to spoofed Booking.com pages designed to harvest banking information. The PureRAT malware, delivered via a previously unobserved loader variant using DLL sideloading and persistence mechanisms like the Run registry key, enables a wide range of malicious activities, including keylogging, webcam and microphone capture, and data exfiltration. Security researchers have highlighted the organized nature of the operation and the use of malware-as-a-service infrastructure, underscoring the ongoing threat to both hotels and their guests.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
5 events from the most recent confirmed update back to the earliest known activity.
Sekoia discloses campaign details and infrastructure findings
By November 2025, Sekoia publicly reported on the campaign, describing the ClickFix infection chain, the loader used to deliver PureRAT, and phishing infrastructure including at least one site hosted on a Russia-based IP in the OPTIMA LLC autonomous system. The report also highlighted criminal-market support for Booking.com-related phishing and stolen credentials.
Hotel-targeting phase observed through early October 2025
Researchers observed the initial hotel-focused phase of the campaign running from April 2025 through early October 2025. During this period, attackers continued compromising hospitality organizations and harvesting credentials for booking platforms.
Compromised hotel accounts used to phish travelers with real booking data
Using access to hotel systems and booking-platform accounts, attackers launched secondary phishing against travelers through email and sometimes WhatsApp. The messages used stolen real reservation details and spoofed Booking.com or Expedia payment pages to steal banking information and support fraud.
Attackers deploy loader and PureRAT on compromised hotel systems
After hotel staff executed the malicious commands, attackers installed a previously unobserved loader variant similar to QuirkyLoader, using DLL sideloading, a Run registry key for persistence, and in-memory loading via AddInProcess32.exe to deploy PureRAT. This established access to hotel systems and accounts for follow-on abuse.
ClickFix phishing campaign begins targeting hotel staff
A phishing campaign targeting the hospitality sector was active by at least April 2025, using emails impersonating Booking.com or messages sent from compromised legitimate accounts to lure hotel managers and staff. Victims were directed to ClickFix-style pages with fake CAPTCHAs that tricked them into running PowerShell commands.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
5 references tracked. Mallory keeps watching after this page renders.
ClickFix may be the biggest security threat your family has never heard of
arstechnica.com
Open sourceLarge-Scale ClickFix Phishing Attacks Target Hotel Systems with PureRAT Malware
thehackernews.com
Open sourceClickFix Campaign Targets Hotels, Spurs Secondary Customer Attacks
darkreading.com
Open source“I Paid Twice” Scam Infects Booking.com Users with PureRAT via ClickFix
hackread.com
Open sourceTravelers hit with phishing attacks from compromised hotel accounts
scworld.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Booking.com ClickFix Phishing Campaign Delivers NetSupport RAT and zgRAT
Attackers are impersonating **Booking.com** pages in an ongoing **ClickFix** phishing campaign targeting the hospitality sector, tricking users into opening the Windows Run dialog and pasting attacker-supplied PowerShell that installs remote-access malware. Recent waves used Booking.com-branded lures such as `secure-extranet[.]com`, redirectors including `jskeowgo[.]com`, and additional phishing subdomains aimed at hotel staff, with some activity specifically targeting Italian-speaking users. Researchers observed multiple payload paths: one chain deployed **NetSupport RAT** through a large PowerShell stage that unpacked 14 base64-encoded components and then opened the legitimate Booking.com site to preserve the pretext, while another used staged loaders, ZIP delivery, and DLL sideloading via a legitimate `psl.exe` binary to install **zgRAT** and **PureHVNC**. The malware provided full remote-control capability, including shell access, file transfer, keylogging, screen capture, and webcam or audio access, and established persistence through mechanisms such as Startup-folder shortcuts and `HKCU\Run` keys like `SystemUpdate_<VID>`. Infrastructure linked to the activity included freshly registered domains obtained in batches through Chinese and Hong Kong registrars, rotating download servers, telemetry endpoints that tracked installation progress per victim, and command-and-control systems hosted across providers in Frankfurt, Russia-linked environments, and a likely bulletproof-hosting setup tied to a newly created autonomous system. Investigators also found OPSEC clues including an exposed RDP certificate leaking the hostname `WIN-FLJTJKL01VM`, a PDB path referencing `C:\Users\Administrator\Desktop\HTCTL32\`, and malware signed with a stolen `*.dodo.com` wildcard certificate, supporting clustering of the campaign as a financially motivated cybercrime operation using commodity RAT tooling.
May 25, 2026
ClickFix Social Engineering Attacks Targeting European Hospitality Sector
Suspected Russian cybercriminals have launched a sophisticated phishing campaign targeting the European hospitality industry, leveraging fake Windows Blue Screen of Death (BSOD) pages to distribute malware. The attack, tracked as "PHALT#BLYX" by Securonix researchers, begins with phishing emails impersonating popular booking platforms such as Booking.com, often using reservation cancellation lures with details in Euros to specifically target hotels, hostels, and inns in Europe. Victims are directed to high-fidelity cloned websites that mimic legitimate booking services, where they encounter fake error messages and BSOD screens designed to prompt them into executing malicious commands. The campaign employs the "ClickFix" technique, which manipulates users into manually running PowerShell or shell commands under the guise of resolving system errors. This process ultimately results in the installation of the DCRat malware, a remote access trojan capable of keylogging and other malicious activities. Technical indicators, including Russian-language debug strings and infrastructure geolocated to Russia, suggest a strong Russian connection. The campaign demonstrates a blend of social engineering and technical deception, exploiting human problem-solving instincts to compromise systems within the hospitality sector during its busiest season.
Mar 21, 2026
Phishing Campaigns Abuse Trusted Platforms and Tools to Deliver Remote Access Malware
Multiple reports describe **phishing-led malware delivery** that abuses trusted services and “living off the land” execution paths to evade controls and deploy remote access tooling. Cloudflare-tracked activity shows attackers using **Vercel-hosted** pages to lend legitimacy to malicious links and bypass email/security filtering, with lures themed around invoices, payments, shipping, and document portals; the infrastructure includes **Telegram-based filtering** and browser fingerprinting/conditional delivery to hinder researchers and sandboxes before serving payloads that install a **remote access tool (RAT)**. A separate campaign (tracked as **PHALT#BLYX**) targets hospitality staff with Booking[.]com-style reservation emails and uses a **fake browser error + fake BSOD** to coerce victims into running the **ClickFix** technique (Win+R paste/execute), launching PowerShell that pulls malicious project files and executes them via **`MSBuild.exe`** to deliver **DCRat**, consistent with **LOLBins**-based evasion; researchers noted Russian-language artifacts in the malware. Broader weekly/newsletter roundups also highlight the same risk theme—attackers increasingly blend social engineering with trusted infrastructure and tools—while mixing in unrelated items (e.g., firewall CVEs, general malware research links) that are not part of a single, specific incident narrative.
Apr 15, 2026