- The viral Air Purifier Table is my smart home's MVP (and it's on sale for $179)
- Grab the Galaxy S25 Edge for $170 off and get a free Amazon gift card - but act fast
- How I learned to stop worrying and love my health tracker
- I found a free iPhone 16 deal that doesn't require a trade-in (and applies to Pro models, too)
- This 77-piece Milwaukee wrench set is still $200 off at The Home Depot
Phishing Campaign Uses Fake Booking.com Emails to Deliver Malware
A widespread phishing campaign spoofing Booking.com has been observed targeting the hospitality industry with malicious emails that trick recipients into downloading malware, according to researchers at Cofense Intelligence.
These attacks use a deceptive CAPTCHA system known as ClickFix, which coaxes victims into running malicious scripts on their Windows devices.
Malware Surge Tied to Booking.com Spoofs
Active since November 2024, the campaign peaked in March 2025, accounting for 47% of its total activity.
Emails impersonating Booking.com were sent requesting hotel staff to respond to guest issues or confirm reservations. Embedded in these messages was a link to a counterfeit CAPTCHA page that initiated a malware download.
ClickFix pages prompt users to complete “verification steps” that involve copying and executing a script through Windows shortcuts. These scripts typically install remote access Trojans (RATs) or information stealers.
According to Cofense Intelligence, most payloads are RATs, with 53% delivering XWorm RAT. Other common malware include Pure Logs Stealer and DanaBot.
New Tactics Exploit User Trust
More recent phishing emails in this campaign included:
-
Threats of reputational damage with urgent 24-hour deadlines
-
Details about fabricated guest reservations requesting early check-in or specific amenities
-
Fake confirmations urging staff to respond via a malicious link
Some versions have even mimicked cookie consent banners, where clicking “Accept” initiates a malware download.
Additionally, Cloudflare-style CAPTCHAs have been used, though they remain less common.
The malware targets only Windows users. ClickFix websites detect the browser’s User-Agent and warn users accessing the link from non-Windows systems that the site is incompatible. This ensures that only vulnerable platforms are exposed to the payload.
How ClickFix Works
ClickFix represents a shift in phishing methodology. Instead of downloading a file directly, the user unknowingly runs a malicious script themselves in a three-step process:
-
The CAPTCHA page places a hidden script in the clipboard
-
Victims are instructed to open the Windows Run command
-
The script is pasted and executed, launching the malware
In some cases, the scripts disguise themselves further by ending in what appears to be a verification code, concealing the script’s true purpose.
Cofense Intelligence notes that while 75% of these campaigns used Booking.com branding, variants spoofing Cloudflare and other services have been observed.
The campaign’s evolution and high success rate make it a growing concern for organizations in the accommodation and food services sector.
Image credit: AlexandraPopova / Shutterstock.com
