Large-Scale ClickFix Phishing Attacks Target Hotel Systems with PureRAT Malware

Large-Scale ClickFix Phishing Attacks Target Hotel Systems with PureRAT Malware

Sekoia researchers identified a phishing campaign using ClickFix tactics to infect hotel systems with PureRAT malware. The malware enables remote access, webcam capture, and data exfiltration, with attacks active since April 2025.

Why This Matters

The campaign highlights the gap between ideal security models and real-world threats. While hotels may use multi-factor authentication, social engineering tactics like ClickFix exploit human trust, bypassing technical safeguards. The malware’s persistence mechanisms and evasion techniques (e.g., .NET Reactor obfuscation) increase breach costs, with stolen credentials sold on forums like LolzTeam for profit.

Key Insights

• “Campaign active since April 2025, operational as of October 2025”: https://thehackernews.com/2025/11/large-scale-clickfix-phishing-attacks.html
• “ClickFix pages use embedded videos and OS-specific instructions to mimic legitimacy”: https://thehackernews.com/2025/11/large-scale-clickfix-phishing-attacks.html
• “PureRAT supports webcam capture, keylogging, and DLL side-loading for persistence”: https://thehackernews.com/2025/11/large-scale-clickfix-phishing-attacks.html

Practical Applications

• Use Case: Hotels implementing multi-factor authentication for Booking.com extranet access to mitigate credential theft.
• Pitfall: Relying on single-factor authentication for administrative systems, enabling attackers to exploit phishing-delivered malware.

References:

• https://thehackernews.com/2025/11/large-scale-clickfix-phishing-attacks.html