Find notable cyber news and cases, enriched with sources, timelines, and signals.

Booking.com partner-account phishing campaign using ClickFix and PureRAT

Campaign
First reported
Last updated
Happening score
H score 34
2 unique sources, 2 articles

Summary

Hide ▲

A phishing campaign abusing Booking.com partner accounts is stealing credentials and helping fraudsters pressure hotel guests, creating risk for hospitality businesses and their customers. The operation has been active since at least April 2025 and has expanded to Agoda accounts. Attackers used malicious emails, a redirection chain, and ClickFix social engineering to deploy PureRAT and enable credential theft, screenshot capture, and data exfiltration.

Related Happenings

Booking.com partner accommodation phishing campaign targeting Japan

Campaign
H score32 First: 30.06.2026 13:30 Last: 30.06.2026 13:30 Sources 1

About this happening: A **phishing campaign** is targeting **Booking.com partner accommodations in Japan** with guest-complaint and review-request lures that deliver **malicious files** for **TONResolv...

Poisoned Tenant OpenAI organization invite campaign

Campaign
H score35 First: 26.06.2026 20:49 Last: 26.06.2026 20:49 Sources 1

About this happening: The **Poisoned Tenant** campaign is using fraudulent **OpenAI organizations** to lure targeted employees into shared **ChatGPT workspaces**, creating a risk of sensitive company d...

AccountDumpling Google AppSheet Facebook phishing campaign

Campaign
H score31 First: 01.05.2026 21:09 Last: 01.05.2026 21:09 Sources 1

About this happening: A **Vietnamese-linked** operation dubbed **AccountDumpling** is using **Google AppSheet** as a phishing relay to steal **Facebook** credentials, enabling account takeover at scale...

FBI-led takedown of W3LL phishing network

Law Enforcement
H score33 First: 13.04.2026 13:35 Last: 13.04.2026 13:35 Sources 1

About this happening: **FBI Atlanta** and **US and Indonesian law enforcement** took down the **W3LL** phishing network, escalating a cross-border cybercrime case tied to **more than $20 million in fra...

OAuth device-code phishing campaign targeting SaaS accounts

Campaign
H score43 First: 04.04.2026 17:17 Last: 04.04.2026 17:17 Sources 1

About this happening: A **device code phishing** campaign now includes **EvilTokens**, a **phishing-as-a-service** kit sold on **Telegram** that uses the **OAuth 2.0 device authorization flow** to hija...

Timeline

  1. 06.11.2025 18:00 2 articles · 8mo ago

    Booking.com partner-account phishing campaign using ClickFix and PureRAT

    Initial Disclosure

    Attackers first sent malicious emails from legitimate hotel accounts or impersonated Booking.com. Those messages funneled victims through a redirection chain into the **ClickFix** social-engineering flow.

    Show sources