Phishing Campaigns “I Paid Twice” Targeting Booking.com Hotels and Customers

**I Paid Twice** describes a global phishing and malware campaign targeting hotel booking-extranet accounts and their customers: attackers used compromised Booking.com emails and ClickFix social engineering to trick administrators into executing PowerShell that stages PureRAT (fileless DLL side-loading), enabling credential theft, sale of extranet logs on cybercrime forums, and targeted banking phishing of guests; the report includes detailed TTPs, IOCs, detection queries (SOL/Sigma/Sysmon), and ecosystem analysis.