Travelers hit with phishing attacks from compromised hotel accounts

A campaign targeting hotels uses ClickFix to spread PureRAT malware, followed by phishing attempts against hotel customers leveraging details from compromised accounts, Sekoia detailed in a report published Thursday.

The attacks aim to steal travelers’ banking information through spoofed Booking.com pages, with real reservation details stolen from hotels used to convince victims of the sites’ legitimacy.

The campaign, observed from April 2025 through early October 2025, begins with malicious emails sent to hotels, resembling legitimate requests from customers sent through Booking.com.

Sekoia noted that some of the emails had their “From” headers altered to spoof Booking.com, and many of the emails appeared to come from the compromised accounts of other legitimate companies.

Links included in the emails directed victims to sites impersonating Booking.com, which displayed fake CAPTCHAs in a classic ClickFix social engineering attack. The victims were convinced to copy and paste PowerShell commands, leading to the installation of a loader that ultimately deployed PureRAT malware.

The loader, a previously unobserved variant that was noted to be similar to QuirkyLoader, was deployed via DLL sideloading and establishes persistence via a Run registry key. The loader triggers the legitimate AddInProcess32.exe Windows utility to load the PureRAT assembly in memory.

PureRAT is a modular malware-as-a-service (MaaS) that provides extensive remote control capabilities, including mouse and keyboard control, remote command execution, file upload and downloads, keylogging, webcam and microphone capture, traffic proxying and data exfiltration, according to Sekoia.

Infecting hotel systems with PureRAT enables attackers to steal details including customer contact and reservation information, as well as credentials for accounts such as Booking.com and Expedia that can be leveraged to gain more information and contact customers from a trusted account.

Sekoia noted that attackers may use these details for themselves or sell the data on cybercrime forums for others to use in follow-on phishing campaigns.

The attacks against hotel customers, which were reported to Sekoia through a partner organization, begin with emails or WhatsApp messages, with some emails stemming from hotels’ compromised Booking.com accounts. These messages include accurate details about customers’ reservations and claim that a security issue requires the victim to confirm their banking details to prevent their reservation from being canceled.

Links included in these messages send the victims to sites impersonating Booking.com, or Expedia in some of the observed cases, which display a form for the customer to input their banking details.

Sekoia found that one of the phishing sites was hosted at an IP address located in Russia belonging to an autonomous system called OPTIMA LLC. The researchers said that abuse reports sent to a listed contact for this system went unanswered, suggesting the possible use of a bulletproof hosting service.

Attacks targeting booking platforms are widespread, with recent attacks abusing the Booking.com brand name reported by Malwarebytes Labs and Microsoft.

Sekoia’s investigations of the cybercrime ecosystem, including forums such as Exploit.in, LolzTeam and WWHClub, uncovered extensive discussion of buying and selling Booking.com data, launching phishing campaigns impersonating the brand and harvesting hotel data and contact information to facilitate such campaigns.

Hospitality organizations can avoid falling victim to campaigns such as the recent PureRAT campaign through staff awareness of ClickFix social engineering and the detection of suspicious PowerShell executions such as the creation of Run registry keys via PowerShell, Sekaoi said. Monitoring of anomalous AddInProcess32.exe behavior is also a strong indicator of compromise for PureRAT, Sekoia said.

Travelers should also be aware of Booking.com phishing and the potential use of trusted accounts and stolen reservation details to spread phishing links.