A new phishing campaign dubbed ‘ClickFix’ is impersonating Booking.com to infiltrate hospitality businesses and deploy multiple types of infostealing malware. This cyber threat, first identified in December 2024, has been linked to the advanced persistent threat (APT) group known as Storm-1865, according to Microsoft Threat Intelligence.
Targeting the Hospitality Industry
Cybercriminals behind this campaign are focusing on hospitality firms in North America, Oceania, South and Southeast Asia, and Europe. By leveraging the credibility of Booking.com, attackers aim to deceive employees into executing malicious commands, leading to malware infections.
The technique, known as ClickFix, involves fake error messages that prompt users to copy and run specific commands. This social engineering tactic exploits the human tendency to resolve issues independently rather than contacting IT support. Because the infection process is user-initiated, many security solutions fail to detect the attack in time.
How ClickFix Works
The attack typically begins with a phishing email that appears to come from Booking.com. These emails vary in content, often citing urgent matters such as negative guest reviews, account verification requests, promotional offers, or inquiries from potential customers.
Inside the email, victims find either a direct link or a PDF attachment that appears to lead to Booking.com. However, clicking the link redirects users to a counterfeit Booking.com webpage displaying a CAPTCHA dialog box. This box overlays a blurred version of the fake site to enhance authenticity.
To proceed, the user is instructed to use a keyboard shortcut to open the Windows Run command window, paste a command copied from the clipboard, and execute it. Once launched, the command uses the mshta.exe utility to download and execute malicious scripts, infecting the system with malware.
Malware Deployed in ClickFix Attacks
This phishing campaign distributes a variety of malware families, each designed to steal financial data and login credentials. The identified malware strains include:
XWorm – A powerful remote access trojan (RAT) capable of keylogging and data theft.
Lumma Stealer – Specializes in extracting stored passwords and browser data.
VenomRAT – Grants attackers remote control over infected systems.
AsyncRAT – A stealthy trojan used for espionage and credential theft.
Danabot – A banking trojan that steals financial data and enables fraudulent transactions.
NetSupport RAT – A remote access tool often used for surveillance and further exploitation.
In some cases, additional payloads such as PowerShell scripts, JavaScript files, and portable executable (PE) files are downloaded, increasing the range of potential attacks.
Evolution of Storm-1865’s Attack Methods
Storm-1865 has a history of using social engineering to target hotel guests and staff. Microsoft researchers note that the addition of ClickFix to their attack tactics represents an evolution in their phishing strategies, allowing them to evade traditional cybersecurity measures.
Unlike conventional phishing attacks that rely on malicious attachments or obvious fake login pages, ClickFix manipulates victims into infecting themselves. This method bypasses security controls that typically block automated malware execution.
Mitigating the Threat of ClickFix Phishing
Given the sophisticated nature of this attack, hospitality firms must adopt a multi-layered approach to cybersecurity. Recommended protective measures include:
Employee Awareness Training – Staff should be educated about phishing tactics and the risks of executing unknown commands.
Email Security Solutions – Implement advanced email filtering to detect and block phishing emails.
Endpoint Detection and Response (EDR) – Deploy security tools that can recognize suspicious activity, such as unauthorized script execution.
Restricted Privileges – Limit user access to administrative functions and the ability to execute scripts.
Incident Response Plans – Establish protocols for responding to suspected phishing incidents.
Conclusion
The ClickFix phishing scam demonstrates how cybercriminals continuously adapt their tactics to bypass security defenses. By masquerading as Booking.com and tricking users into executing malicious commands, Storm-1865 effectively gains access to sensitive financial data and credentials.
Organizations in the hospitality sector must remain vigilant, implementing strong security practices and educating employees about emerging phishing threats. With proactive measures, businesses can significantly reduce their exposure to such cyber risks.
Follow us on 
(Twitter) for real time updates and exclusive content.
Interesting Article : Critical FreeType Bug (CVE-2025-27363) Puts Linux Systems at Risk