As the hospitality industry faces an unprecedented wave of cyber threats, we sat down with Malik Haidar, a renowned cybersecurity expert with years of experience in protecting multinational corporations from sophisticated attacks. With a deep background in analytics, intelligence, and security, Malik has a unique perspective on integrating business needs with robust cybersecurity strategies. In this interview, we dive into the alarming rise of phishing campaigns targeting hotel systems, the deployment of dangerous malware like PureRAT, and the social engineering tactics that exploit both hotel staff and customers. Our conversation explores the mechanics of these attacks, their devastating impact, and the evolving landscape of cybercrime in this sector.
Can you walk us through the nature of the phishing campaign currently targeting the hospitality industry?
Absolutely. This is a large-scale operation that primarily focuses on hotel managers and staff, using spear-phishing emails to trick them into engaging with malicious content. These emails often appear to come from trusted platforms like Booking.com, leveraging the familiarity of these brands to lower defenses. The attackers use compromised email accounts to send out these messages, making them look legitimate at first glance. The goal is to lure victims to fake websites that deploy a tactic called ClickFix, which manipulates users into running harmful commands on their systems, ultimately installing malware like PureRAT.
How are hotel managers specifically being deceived by these phishing emails?
The deception is quite sophisticated. These emails are crafted to mimic communications from booking platforms, often addressing urgent issues like account verification or booking discrepancies. They include links that seem harmless but redirect the recipient through a series of pages, eventually landing on a fake site with something like a reCAPTCHA challenge to “secure the connection.” It’s all a ruse to make the interaction feel routine and safe, but in reality, it’s a gateway to downloading malicious scripts or commands that compromise the system.
What can you tell us about PureRAT malware and why it poses such a significant threat to hotel systems?
PureRAT, sometimes referred to as zgRAT, is a modular remote access trojan that’s incredibly dangerous due to its versatility. It can do everything from keylogging to capturing webcam and microphone data, controlling the mouse and keyboard, and even exfiltrating sensitive files. It’s designed to stay hidden on infected systems by using techniques like DLL side-loading and creating registry keys for persistence. What makes it particularly threatening to hotels is its ability to steal credentials for platforms like Booking.com or Expedia, giving attackers access to reservation systems and customer data, which can then be exploited for fraud or sold on underground forums.
What are the main objectives of cybercriminals when they target these hotel systems?
Their primary goal is to harvest credentials that give them access to booking platforms. Once they have these, they can either sell the login details on cybercrime marketplaces or use them directly to perpetrate fraud. For instance, they might log into a hotel’s account on a platform like Expedia, access customer reservation details, and then target those customers with fake messages to steal their payment information. It’s a multi-layered attack that maximizes profit by exploiting both the business and its clients.
Can you explain how these attacks unfold once a hotel manager interacts with a malicious link?
Sure. When a manager clicks on a link in one of these phishing emails, they’re taken through a redirection chain that eventually lands them on a ClickFix-style page. This page often masquerades as a security check, prompting the user to complete a challenge or copy a command into their system’s terminal or run dialog. What they don’t realize is that this command downloads a ZIP file or script that installs PureRAT. From there, the malware sets up shop, gathering system info, establishing persistence, and starting to siphon off data or credentials without the user noticing.
How are hotel customers being pulled into this scam as a secondary target?
Once the attackers gain access to a hotel’s booking system, they extract reservation details and use them to craft personalized fraudulent messages to customers. These messages might come via email or WhatsApp, claiming there’s an issue with their booking that requires verification. They’re directed to a fake website that mimics the look of a legitimate booking platform, where they’re asked to enter their credit card details to “confirm” their reservation. It’s a classic phishing tactic, but it’s incredibly effective because it uses real reservation data to build trust.
How widespread is this campaign, and are there specific regions more at risk?
This campaign is quite extensive, having been active since at least April 2025 and still operational as of early October 2025. It’s not confined to one area; hotels across multiple countries are being targeted, which suggests a well-coordinated effort by the attackers. While specific regions haven’t been publicly pinpointed as the primary focus, the global nature of booking platforms means that any hotel using these systems—regardless of location—is a potential target. The scale and persistence of this campaign are really concerning.
What role do underground forums and cybercrime services play in facilitating these attacks?
These forums are the backbone of such operations. Attackers often buy or trade information about hotel administrators on platforms like LolzTeam, including email addresses or other personal details that help tailor their phishing attempts. They also rely on specialized roles like “traffers,” who are essentially distributors of malware, focusing on spreading the infection. Additionally, tools like log checkers—available for as little as $40—allow attackers to validate stolen credentials using proxies, ensuring they’re still usable before selling or exploiting them. It’s a highly organized ecosystem that operates on an “as-a-service” model, lowering the barrier for entry and boosting efficiency.
What’s your forecast for the future of phishing attacks targeting the hospitality industry?
I expect these attacks to become even more sophisticated and widespread. As cybercriminals refine tactics like ClickFix—adding features like embedded videos, countdown timers, and OS-specific instructions—the likelihood of victims falling for these scams increases. We’re also seeing a trend toward greater automation and personalization, which makes phishing attempts harder to detect. The hospitality industry will need to prioritize employee training, implement stronger email filtering, and adopt multi-factor authentication across all platforms to stay ahead. Without proactive measures, the financial and reputational damage from these attacks could be catastrophic.
