A large-scale phishing operation exploiting Booking.com partner accounts has been uncovered by cybersecurity experts
The latest Sekoia.io report, published today, detailed how cybercriminals compromised hotel systems and customer data through a sophisticated malware campaign active since at least April 2025.
The intrusion began when attackers sent malicious emails from legitimate hotel accounts or impersonated Booking.com. Each message contained a link leading victims through a redirection chain before launching the so-called ClickFix social engineering tactic.
Victims were prompted to execute a PowerShell command that downloaded malware, ultimately infecting systems with the PureRAT remote access Trojan.
PureRAT allows attackers to remotely control infected machines, steal credentials, capture screenshots and exfiltrate sensitive data. Its modular design enables the addition of plugins for expanded capabilities.
Analysts believe the malware initially targeted hotel staff to steal login credentials for booking platforms such as Booking.com, Airbnb and Expedia. These credentials were then either sold on cybercrime forums or used directly in fraudulent schemes.
Read more on phishing campaigns targeting the hospitality industry: Data on Half a Million Hotel Guests Exposed After Otelier Breach
Once in possession of partner credentials, threat actors contacted hotel guests via email or WhatsApp, claiming issues with banking verification.
Messages included authentic booking details, increasing their credibility. Victims were directed to fake Booking.com pages designed to harvest payment information. These sites, hosted behind Cloudflare protection and linked to Russian infrastructure, mimicked legitimate layouts to avoid detection.
Sekoia.io analysts also observed an active trade in Booking.com credentials on Russian-language forums. Access details for these accounts (sold as authentication cookies or login pairs) ranged from $5 to $5,000, depending on value.
One user, “moderator_booking,” allegedly claimed over $20m in profits. Attackers have since expanded operations to include Agoda accounts.
The campaign demonstrates the growing professionalization of cybercrime targeting hospitality businesses.
“We assess with high confidence that the client who fell victim to this fraudulent scheme paid twice for his reservation: once at the hotel and once to the cybercriminal,” Sekoia.io wrote.
“Unveiling the adversary infrastructure revealed hundreds of malicious domains active for several months as of October 2025, demonstrating a resilient and likely profitable campaign.”
The firm added it continues to monitor adversary infrastructure and improve detection methods to help protect booking platforms and their customers.
