Phishing Campaigns “I Paid Twice” Targeting Booking.com Hotels and Customers

A phishing campaign called “I Paid Twice” targeted hotel establishments by using compromised Booking.com accounts and ClickFix social engineering to deliver PowerShell commands that deploy PureRAT, enabling theft of booking-extranet credentials and subsequent customer-targeted banking phishing. The operation leveraged a redirection/TDS infrastructure, hundreds of malicious domains, and a cybercrime ecosystem selling Booking.com logs and services such as traffers and log checkers. #PureRAT #ClickFix

Keypoints

Campaign active since at least April 2025 used compromised Booking.com/hotel accounts and WhatsApp/email to deliver targeted phishing to hotels and guests.
ClickFix social engineering redirected victims through TDS-like domains to pages prompting victims to copy and run a PowerShell command that fetched a ZIP named updserc.zip to infect machines.
Infection chain results in DLL side-loading and in-memory reflective loading of PureRAT, achieving persistence via Run registry keys and Startup .lnk files.
PureRAT (aka PureHVNC/ResolverRAT) provides remote control, keylogging, data exfiltration, plugin loading, and communicates to C2 over TLS on ports 56001–56003.
Stolen Booking.com extranet accounts (logs/cookies) are traded on Russian-speaking cybercrime forums, with services like traffers, log checkers, and Telegram bots professionalising the market.
Phishing pages impersonating Booking.com and Expedia used Cloudflare/Turnstile and were hosted behind an ASN tied to a likely bulletproof hoster in Russia, facilitating payment-phishing extortion of guests.
Sekoia detection opportunities include PowerShell misuse rules, Sysmon ImageLoad for DLL side-loading, and behavioral detection of AddInProcess32.exe anomalies with Sigma/SOL examples provided.

MITRE Techniques

[T1566] Phishing – Used to deliver the initial malicious URLs and messages impersonating Booking.com or sent from compromised hotel accounts (“the malicious email sent by the attacker contained a URL… reproduced the Booking.com brand identity”).
[T1192] Spearphishing Attachment (or Link) – Targeted spearphishing to hotel reservation/admin emails with tailored subject lines and booking details to increase credibility (“subject line referred to a customer request… included a URL that ultimately led to the compromise”).
[T1204.002] User Execution: Malicious File – Victims were social-engineered to copy and execute a PowerShell command from a ClickFix page (“prompted to copy a command using the ClickFix reCAPTACHA tactic. The copied and subsequently executed command included PowerShell instructions”).
[T1566.001] Spearphishing Link – Use of crafted links and redirection infrastructure (TDS) to direct victims to the ClickFix/PowerShell payload (“Each URL redirected users to a web page hosting a JavaScript… objective is to redirect the user to the ClickFix URL”).
[T1059.001] Command and Scripting Interpreter: PowerShell – PowerShell was used to download, extract, and execute the malware payload and establish persistence (“that command downloads and executes further PowerShell instructions… creates a Run registry key… executes the .exe binary”).
[T1547.001] Boot or Logon Autostart Execution: Registry Run Keys – Persistence created via Run registry key to execute the extracted binary at logon (“Creates a Run registry key under CurrentVersionRun associated with a PowerShell command”).
[T1547.001] Boot or Logon Autostart Execution: Startup Shortcut – Creation of .lnk in the Startup directory for persistence (“Creates a shortcut file (.lnk) in AppDataRoamingMicrosoftWindowsStart MenuProgramsStartup”).
[T1574.001] DLL Search Order Hijacking / DLL Side-Loading – Loader triggers DLL side-loading to load malicious DLLs, acting as a loader for PureRAT (“The .exe binary triggers DLL side-loading, loading one of the malicious DDLs from the ZIP archive”).
[T1620] Reflective Code Loading – PureRAT is loaded into memory by reflective loading (AddInProcess32.exe used to load .NET assembly into memory) (“Loading the PureRAT malware into memory by reflective loading, using AddInProcess32.exe to load an assembly into memory”).
[T1041] Exfiltration Over C2 Channel – Collected system info and GUID were sent to C2 at each step and data exfiltration via encrypted C2 channel and plugin mechanism (“Reports status updates to its Command and Control (C2)… Collected system information and a GUID… sent to the server”).
[T1105] Ingress Tool Transfer – Download of a ZIP archive (updserc.zip) from a staging URL and extraction to AppData for payload deployment (“Downloads a ZIP archive and extracts it into the current user’s AppDataLocal directory”).
[T1588.002] Acquire Infrastructure: Domain Registration – Adversary used hundreds of domains and a TDS-like redirection infrastructure to host ClickFix and phishing pages (hundreds of malicious domains active for months) (“Pivoting on the IP address… unveiled numerous other malicious domains… nearly a hundred domain names associated with that IP”).

Indicators of Compromise

[Domain] ClickFix redirect and staging domains – ctrlcapaserc[.]com, bkngssercise[.]com (examples from ClickFix PowerShell URL and payload).
[Domain] Phishing pages mimicking booking platforms – confirmation887-booking[.]com, verifycard0006-booking[.]com (customer-targeted phishing pages).
[IP:Port] C2 servers – 85.208.84[.]94:56001, 77.83.207[.]106:56001 (PureRAT C2 endpoints and observed ports 56001–56003).
[File Hash] Malicious binary hashes – SHA256=9BAB404584F6A0D9D82112D6E017CFA37D0094D97E510101D6A0132FD145DD32 (example from Sysmon event), and MD5=D4845669F7F56C6C4EB82147A1F82615.
[Filename] Staging archive and paths – updserc.zip (consistent ZIP archive name used to deliver payload), /bomla path (consistent staging path delivering PowerShell script).
[URL Pattern] Redirect URL pattern – hxxps://{randomname}[.]com/[a-z0-9]{4} (observed redirection URL format used by ClickFix/TDS service).

SHARE THIS STORY

WhatsApp X (Twitter)Telegram Bluesky Facebook LinkedIn Threads Email Print