A sophisticated ClickFix campaign was detected in mid-March 2026, beginning with a malicious webpage impersonating Booking.com's visual identity with a fake CAPTCHA. The attack leverages social engineering to trick victims into executing a PowerShell command that downloads and runs a script directly in memory. The JavaScript code automatically copies malicious commands to the clipboard and intercepts copy events. Once executed, the PowerShell dropper performs system fingerprinting, downloads a ZIP payload from a remote server, deploys it to user directories, establishes persistence through registry keys and scheduled tasks, and executes the final payload. The campaign demonstrates well-structured code with fallback mechanisms and real-time telemetry via Telegram, suggesting the use of a ready-to-use attack kit.