Fake Booking.com ClickFix attack abuses Cloudflare verification to deliver malware

ThreatLocker documents an active ClickFix campaign that lures users with fake Cloudflare/Turnstile pages on malicious booking.com subdomains, coercing victims to paste Run/PowerShell commands which execute a JavaScript downloader (lwiiiqzxxgaghaas.js) that installs Node.js, extracts a final payload (Jghiiznajjdvlad.js), establishes persistence via a registry Run key, and connects over Tor to receive commands, transfer files, and execute arbitrary code; the report includes extensive IoCs (SHA-256 hashes, domains, IPs) and identifies related malicious GitHub repositories hosting additional tooling.