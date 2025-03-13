A sophisticated ‘ClickFix’ phishing campaign is impersonating Booking.com to target hospitality firms with multiple infostealing malware, enabling financial fraud and theft.

The ongoing campaign, which began in December 2024, has been attributed by Microsoft Threat Intelligence to a threat cluster known as Storm-1865.

The attackers use a social engineering technique called ClickFix to specifically target individuals in hospitality organizations in North America, Oceania, South and Southeast Asia, and Europe, which are likely to work with Booking.com, an online travel agency.

ClickFix sees threat actors use fake error messages that instruct users to fix issues copying, pasting and launching commands that eventually result in the download of malware.

The technique can bypass conventional and automated security features as the user infects themselves.

The tactic preys on users’ desire to fix problems themselves rather than alerting their IT team or anyone else.

The new campaign deploys multiple families of malware that have capabilities to steal financial data and credentials for fraudulent use. The malware families include XWorm, Lumma stealer, VenomRAT, AsyncRAT, Danabot and NetSupport RAT.

Some samples have downloaded PowerShell, JavaScript, and portable executable (PE) content.

Microsoft said the tactics bear the hallmarks of past Storm-1865 campaigns, including targeting hotel guests by impersonating Booking.com.

“The addition of ClickFix to this threat actor’s tactics, techniques and procedures (TTPs) shows how Storm-1865 is evolving its attack chains to try to slip through conventional security measures against phishing and malware,” the researchers wrote.

How the ClickFix Campaign Works

Storm-1865 begins by sending malicious email impersonating Booking.com to the targeted individual.

The content of the emails varies significantly, including references to negative guest reviews, requests from prospective guests, online promotion opportunities account verification.