A new cybercrime campaign is preying on holidaymakers in a hurry, using fake Booking.com websites to trick users into downloading malware under the guise of a cookie consent banner.
HP Wolf Security’s latest Threat Insights Report highlights a sharp rise in spoofed travel booking domains designed to deliver XWorm, a powerful remote access trojan that gives attackers full control of the victim’s device, including files, webcam, microphone, and security settings.
Taking Advantage of Click Fatigue
Disguised to mimic the familiar look of Booking.com, these malicious websites display a blurred-out interface with a standard-looking cookie prompt. But the moment a user clicks “Accept,” they unwittingly trigger the download of a malicious JavaScript file. That single click is all it takes for XWorm to gain a foothold.
The campaign was first observed in the first quarter of 2025, just as summer holiday bookings began ramping up. HP’s researchers say the attack exploits both the urgency of last-minute travel planning and the psychological conditioning users have developed around privacy pop-ups.
“Most people don’t think twice about clicking cookie banners anymore,” said Patrick Schläpfer, Principal Threat Researcher at HP Security Lab. “Attackers are taking advantage of this click fatigue. They don’t need advanced techniques, just a well-timed prompt on a convincing page.”
The campaign remains active, with new fake domains imitating Booking.com still being registered. The report connects this activity to an earlier campaign that used CAPTCHA screens in a similar social engineering setup.
New Tricks with Familiar Files
The HP Wolf Security report also uncovers other emerging threats, revealing how attackers are disguising malware as everyday file types and folders:
- Windows Library Files Masquerading as PDFs: Threat actors are embedding malware in remote WebDAV folders that appear to be local directories like “Documents” or “Downloads.” Victims are tricked into clicking a fake PDF shortcut that executes malware.
- PowerPoint Slide Traps: One campaign used a PowerPoint file in full-screen mode to mimic the opening of a standard folder. When the user tries to click out, they unknowingly trigger a download, which is a booby-trapped archive containing a malicious VBScript and an executable, which pulls in a second-stage payload from GitHub.
- MSI Installers on the Rise: HP’s telemetry shows MSI installers are now among the top malware delivery methods. Often distributed through spoofed software download sites or via malvertising, these installers use valid code-signing certificates to appear trustworthy and bypass Windows security warnings. The growth is largely tied to ChromeLoader, a widespread malware campaign targeting browsers.
Isolation Is Protection
HP Wolf Security’s approach highlights high-risk activity within secure micro-virtual machines, so that malware to execute in a contained environment. This gives researchers a rare window into techniques that slip past conventional detection tools.
Ian Pratt, Global Head of Security for Personal Systems at HP, believes the risks lie less in sophisticated code and more in human behavior.
“Users are growing desensitized to pop-ups and permission requests,” he said. “It’s not always zero-day exploits that breach the system, it’s the day-to-day actions we don’t think twice about. By isolating those key moments, we reduce risk without needing to guess every attacker’s next move.”
Vigilance is Critical
With attackers constantly refining their techniques, the report serves as a timely warning for both consumers and security teams. As the summer travel season peaks, vigilance is critical.
HP is urging users to double-check URLs, avoid clicking blindly through banners, and download software only from official sources.
You can read the full report on the HP Threat Research Blog.
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.