A sophisticated phishing campaign targeting hotels and their guests has emerged, deploying the dangerous PureRAT malware. The ClickFix operation has raised alarms among cybersecurity experts, who warn that both hotel staff and customers are at risk of losing sensitive information.
According to cybersecurity researchers from Sekoia, the ClickFix campaign initially involves hackers using compromised email accounts to send phishing messages to hotels and Booking.com users. These messages contain links leading to a deceptive website that mimics a legitimate reCAPTCHA challenge. Once victims engage with this site, they inadvertently download the remote access trojan known as PureRAT.
Malicious Tactics and Dark Web Connections
The attackers demonstrate a calculated approach by targeting specific individuals. They purchase data about Booking.com hotel administrators from dark web forums, such as LolzTeam, sometimes offering a financial incentive for valid contact information. The information obtained from Booking.com accounts is particularly valuable, as it plays a crucial role in fraudulent schemes within the hospitality sector.
“Data harvested from these accounts has become a lucrative commodity, regularly offered for sale in illicit marketplaces,” researchers from Sekoia noted. The malware itself allows attackers extensive control, including the ability to access webcams and microphones, log keystrokes, and manipulate files.
The ClickFix campaign appears to focus on mapping hotel customers. Once they gather sufficient information, the attackers send personalized emails and WhatsApp messages to customers, often referencing real reservation details to lend credibility to their scams. These communications also contain phishing links, which, when clicked, lead victims to counterfeit Booking or Expedia sites. If users enter their login credentials, both their account details and credit card information are at risk.
Ongoing Threats and Precautionary Measures
As of early October 2025, the ClickFix campaign has been operational since at least April 2025. While the full extent of the attack remains unclear, the potential for widespread compromise among hotels and guests is significant. Cybersecurity experts urge both the hospitality industry and consumers to remain vigilant against these types of cyber threats.
The situation highlights the need for robust cybersecurity measures in the hospitality sector. Hotels and their guests must prioritize security practices, such as enabling two-factor authentication and regularly updating passwords. Additionally, educating staff about recognizing phishing attempts can help mitigate risks.
As the ClickFix campaign continues to evolve, staying informed about the latest cybersecurity threats is essential for both businesses and individuals.
