Booking.com partner-account phishing campaign using ClickFix and PureRAT
Campaign
Summary
Hide ▲
Show ▼
A phishing campaign abusing Booking.com partner accounts is stealing credentials and helping fraudsters pressure hotel guests, creating risk for hospitality businesses and their customers. The operation has been active since at least April 2025 and has expanded to Agoda accounts. Attackers used malicious emails, a redirection chain, and ClickFix social engineering to deploy PureRAT and enable credential theft, screenshot capture, and data exfiltration.
Related Happenings
Booking.com partner accommodation phishing campaign targeting Japan
Campaign
H score32
First: 30.06.2026 13:30
Last: 30.06.2026 13:30
Sources 1
About this happening:
A **phishing campaign** is targeting **Booking.com partner accommodations in Japan** with guest-complaint and review-request lures that deliver **malicious files** for **TONResolv...
Booking.com partner accommodation phishing campaign targeting Japan
CampaignAbout this happening: A **phishing campaign** is targeting **Booking.com partner accommodations in Japan** with guest-complaint and review-request lures that deliver **malicious files** for **TONResolv...
Poisoned Tenant OpenAI organization invite campaign
Campaign
H score35
First: 26.06.2026 20:49
Last: 26.06.2026 20:49
Sources 1
About this happening:
The **Poisoned Tenant** campaign is using fraudulent **OpenAI organizations** to lure targeted employees into shared **ChatGPT workspaces**, creating a risk of sensitive company d...
Poisoned Tenant OpenAI organization invite campaign
CampaignAbout this happening: The **Poisoned Tenant** campaign is using fraudulent **OpenAI organizations** to lure targeted employees into shared **ChatGPT workspaces**, creating a risk of sensitive company d...
AccountDumpling Google AppSheet Facebook phishing campaign
Campaign
H score31
First: 01.05.2026 21:09
Last: 01.05.2026 21:09
Sources 1
About this happening:
A **Vietnamese-linked** operation dubbed **AccountDumpling** is using **Google AppSheet** as a phishing relay to steal **Facebook** credentials, enabling account takeover at scale...
AccountDumpling Google AppSheet Facebook phishing campaign
CampaignAbout this happening: A **Vietnamese-linked** operation dubbed **AccountDumpling** is using **Google AppSheet** as a phishing relay to steal **Facebook** credentials, enabling account takeover at scale...
FBI-led takedown of W3LL phishing network
Law Enforcement
H score33
First: 13.04.2026 13:35
Last: 13.04.2026 13:35
Sources 1
About this happening:
**FBI Atlanta** and **US and Indonesian law enforcement** took down the **W3LL** phishing network, escalating a cross-border cybercrime case tied to **more than $20 million in fra...
FBI-led takedown of W3LL phishing network
Law EnforcementAbout this happening: **FBI Atlanta** and **US and Indonesian law enforcement** took down the **W3LL** phishing network, escalating a cross-border cybercrime case tied to **more than $20 million in fra...
OAuth device-code phishing campaign targeting SaaS accounts
Campaign
H score43
First: 04.04.2026 17:17
Last: 04.04.2026 17:17
Sources 1
About this happening:
A **device code phishing** campaign now includes **EvilTokens**, a **phishing-as-a-service** kit sold on **Telegram** that uses the **OAuth 2.0 device authorization flow** to hija...
OAuth device-code phishing campaign targeting SaaS accounts
CampaignAbout this happening: A **device code phishing** campaign now includes **EvilTokens**, a **phishing-as-a-service** kit sold on **Telegram** that uses the **OAuth 2.0 device authorization flow** to hija...
Timeline
-
06.11.2025 18:00 2 articles · 8mo ago
Booking.com partner-account phishing campaign using ClickFix and PureRAT
Initial DisclosureAttackers first sent malicious emails from legitimate hotel accounts or impersonated Booking.com. Those messages funneled victims through a redirection chain into the **ClickFix** social-engineering flow.
Show sources
- “I Paid Twice” Phishing Campaign Targets Booking.com — www.infosecurity-magazine.com — 06.11.2025 18:00
- ClickFix Campaign Targets Hotels, Spurs Secondary Customer Attacks — www.darkreading.com — 10.11.2025 17:16