On January 13, 2026, AlienVault released a comprehensive threat report titled Booking.com Phishing Campaign Targeting Hotels and Customers. The analysis uncovers a sophisticated, multi‑stage phishing operation that specifically targets the hospitality sector. By compromising Booking.com administrator accounts, the attackers are able to defraud both hotels and their guests, generating significant financial losses and eroding trust in online travel platforms.

Actor Group
The report identifies a well‑coordinated threat actor group that specializes in social engineering and credential theft. Their modus operandi involves harvesting contact lists of hotel administrators, crafting highly convincing spear‑phishing emails that mimic Booking.com’s official communication style, and deploying malware that grants remote access to compromised accounts.

Attack Chain
The operation begins with a spear‑phishing email that includes a malicious attachment or link. Once the user clicks the link, the ClickFix social engineering technique is triggered, leading to the download of a lightweight yet powerful Remote Access Trojan (RAT) called PureRAT. After installation, the malware establishes a covert channel to the attacker’s command‑and‑control (C2) server, where it exfiltrates credentials and other sensitive data.

PureRAT Malware
PureRAT is designed to remain stealthy within the victim’s environment. It employs anti‑analysis measures such as process injection, DLL hooking, and encrypted traffic to avoid detection by conventional endpoint protection. Once the RAT has foothold, it enumerates local accounts, harvests stored credentials, and can impersonate the compromised Booking.com administrator to send fraudulent booking confirmations to guests.

Impact on the Hospitality Industry
Hotels that fall victim to this campaign experience direct financial loss when guests are tricked into paying twice for the same reservation. In addition, the reputational damage can be severe, as customers often share negative experiences on social media and review sites. The attackers’ ability to use legitimate Booking.com credentials also allows them to bypass many of the platform’s security controls, making detection difficult until the fraud is already in motion.

Cybercrime Ecosystem
The report highlights a thriving underground ecosystem that supports these attacks. Services are available for harvesting hotel administrator contacts, distributing spear‑phishing templates, and trading stolen Booking.com credentials on forums. This ecosystem enables the threat actors to scale their operations rapidly, as new victims can be added with minimal effort once the initial compromise vector is established.

Recommendations for Hotels
1. Multi‑Factor Authentication (MFA): Enforce MFA for all Booking.com administrator accounts to add an additional barrier against credential theft.
2. Security Awareness Training: Conduct regular phishing simulations and training sessions for staff, emphasizing the importance of verifying email senders and links.
3. Endpoint Protection: Deploy advanced endpoint detection and response (EDR) solutions that can detect and block RAT activity such as PureRAT.
4. Account Monitoring: Implement real‑time monitoring of account activity for unusual login patterns or outbound messages to guests.
5. Incident Response Plan: Maintain a clear, tested incident response plan that includes steps for isolating compromised accounts and notifying affected guests.

Recommendations for Customers
1. Verify Booking Confirmation: Always confirm that the booking confirmation email originates from the official Booking.com domain and contains the correct reservation details.
2. Use Secure Payment Methods: Prefer payment methods that offer fraud protection, such as credit cards with chargeback rights.
3. Report Suspicious Emails: Forward any suspicious emails to Booking.com’s support team for verification.
4. Check Hotel Directly: If in doubt, contact the hotel directly using contact information from the official website rather than the links in the email.

In summary, the Booking.com phishing campaign demonstrates the evolving sophistication of threat actors targeting the hospitality industry. By combining social engineering, stealthy malware, and a robust underground marketplace, attackers can inflict significant financial and reputational damage. Hotels and customers alike must adopt layered security measures, remain vigilant, and cooperate with platform providers to mitigate the risks posed by this threat.