What happened
A large-scale phishing campaign has been uncovered targeting hospitality providers, leveraging a so-called “ClickFix” landing page to deliver the remote access trojan PureRAT (also known as zgRAT). Attackers compromised email accounts and sent spear‑phishing messages impersonating Booking.com, redirecting recipients to a fake verification page that led to malicious PowerShell commands, DLL sideloading, and eventual malware installation.
The campaign, which has been active since at least April 2025 and remains operational as of early October, specifically targets hotels across multiple countries.
Who is affected
The primary targets are hotels and hospitality organisations whose staff manage platforms such as Booking.com, Expedia, Airbnb, or Agoda. Email accounts belonging to hotel managers or administrators are being used to send malicious links.
Secondary victims include customers of those hotels; in some cases, the attacker uses the stolen credentials to initiate fraudulent booking verifications via email or WhatsApp, tricking guests into providing banking or card details.
Why CISOs should care
- The campaign shows advanced social‑engineering: the fake “ClickFix” pages include video, countdown timers, dynamic OS‑specific instructions, and clipboard‑hijacking to boost legitimacy and lower user suspicion.
- The threat vector isn’t purely application exposure or unpatched software; it boils down to credential compromise and post-access persistence (PureRAT supports keyboard/mouse capture, webcam/mic use, file upload/download, and remote execution).
- Many enterprises outsource or rely on third‑party platforms (like booking systems). Once credentials are obtained, threat actors can move laterally, stage fraud, or build a foothold that may persist undetected.
- As the campaign is active and evolving, organisations that assume standard phishing defences suffice may be caught off guard.
3 Practical Actions
- Tighten credential hygiene & monitoring.
-
-
- Enforce MFA (multi‑factor authentication) for all accounts, especially extranet/booking system admin logins.
- Monitor for unusual login locations, spikes in failed logins, or anomalous session activity.
- Immediately review and deactivate any compromised email accounts used in outbound phishing.
-
- Simulate & train for realistic social‑engineering.
-
-
- Run phishing simulation campaigns that mimic the style of the ClickFix‑type landing page (video, timer, urgent verification request).
- Educate users that legitimate verification workflows will not redirect them to execute PowerShell commands or ask for card details via email/WhatsApp.
- Reinforce that unexpected links, even from internal accounts, require verification.
-
- Harden endpoint and network resilience.
-
- Ensure endpoints (especially guest‑WiFi‑connected laptops/devices) have EDR/NDR (endpoint/network detection & response) tuned for anomalous persistence (DLL sideloading, registry Run keys).
- Segment the network so that systems handling booking/extranet are isolated from guest networks or general corporate access.
- Use least-privileged credentials: avoid granting admin rights to users whose accounts manage booking systems.
- Keep logs of remote access sessions, file uploads/downloads, and suspicious command‑execution chains.