Ddos 
An attack chain diagram for a typical sample in this campaign | Image: Cofense
According to Cofense Intelligence, a sophisticated and evolving phishing campaign is using spoofed Booking.com emails and fake CAPTCHA websites—a technique known as ClickFix—to deliver remote access trojans (RATs) and information stealers to hotel and travel industry victims.
The campaign, active since November 2024, has grown rapidly, with 47% of its total activity peaking in March 2025 alone. Cofense reports:
“These campaigns are notable for delivering a wide variety of remote access trojans (RATs) or information stealers via an embedded link to a fake CAPTCHA site that delivers a malicious script instead of a verification code.”
The attack tricks recipients into executing a PowerShell command disguised as a CAPTCHA verification. Known as ClickFix, this technique leverages Windows keyboard shortcuts to paste and execute scripts without requiring file downloads.
The email lures are carefully tailored to exploit the pressure and professionalism of hotel staff. Examples include:
- Vague “incident reports” directed to unnamed “partners”
- Fake guest complaints implying reputational damage and threatening 24-hour deadlines
- Fabricated booking confirmations with guest names and specific requests
These psychological manipulations urge recipients to click embedded links—redirecting them to ClickFix payloads.
“75% of all active threat reports (ATRs) with fake CAPTCHAs used Booking.com-spoofing ClickFix templates,” Cofense notes.
The malware delivered via these campaigns includes:
- XWorm RAT – The most common payload, seen in 53% of attacks
- Pure Logs Stealer – Present in 19% of samples
- DanaBot – Seen in 14%
- ConnectWise RAT – In select campaigns
Some samples deliver multiple payloads simultaneously. Cofense highlights: “11% of campaign ATRs were seen delivering both RATs and information stealers.”
These threats enable remote system access, credential theft, and data exfiltration across compromised endpoints.
ClickFix payloads use clever JavaScript to place a PowerShell script in the user’s clipboard, then instruct the victim to:
- Press Windows Key + R
- Press Ctrl + V (to paste the script)
- Hit Enter to execute
To make the script look innocuous, attackers append fake verification codes as comments at the end of the script. For example:
“When pasted into a Run command window… only the comment’s ‘verification code’ is visible,” explains Cofense.
While Booking.com-themed fake CAPTCHAs dominate, new variations have emerged:
- Cloudflare Turnstile-spoofing templates
- Cookie consent banner-themed ClickFix sites prompting script execution under the guise of “Accepting cookies”
These evolving tactics indicate that attackers are actively testing new pretexts to broaden their target base.
As attackers continue to innovate with ClickFix and RAT-laden phishing campaigns, the best defense is proactive user awareness and layered endpoint protections.
Donate