HP Inc. today issued its latest Threat Insights Report, showing attackers continuing to take advantage of users’ “click fatigue” – particularly during fast paced, time-sensitive browsing moments, like booking travel deals.
With analysis of real-world cyberattacks, the report helps organizations to keep up with the latest techniques cybercriminals are using to evade detection and breach PCs in the fast-changing cybercrime landscape.
The report details an investigation into suspicious domains – related to an earlier CAPTCHA-themed campaign – which uncovered fake travel booking websites. The spoofed sites feature branding imitating booking.com, but with the content blurred, and a deceptive cookie banner designed to trick users into clicking “Accept” – triggering a download of a malicious JavaScript file.
Opening the file installs XWorm, a remote access trojan (RAT) that gives attackers full control of the device, including access to files, webcams, microphones, and the ability to deploy further malware or disable security tools.
The campaign was first detected in Q1 2025, coinciding with the peak summer holiday booking period – a time when users are particularly vulnerable to travel-themed lures. Yet it remains active, with new domains continuing to be registered and used to deliver the same booking-related lure.
Based on data from millions of endpoints running HP Wolf Security, HP threat researchers also discovered:
- Impostor Files Hiding In Plain Sight: Attackers used Windows Library files to sneak malware inside familiar-looking local folders – such as “Documents” or “Downloads.” Victims were shown a Windows Explorer pop-up, displaying a remote WebDAV folder with a PDF-lookalike shortcut that launched malware when clicked.
- PowerPoint Trap Mimics Folder Opening: A malicious PowerPoint file, opened in full-screen mode, mimicking the launch of a standard folder. When users click to escape, they trigger an archive download containing a VBScript and executable – pulling a GitHub-hosted payload to infect the device.
- MSI Installers on the Rise: MSI installers are now among the top file types used to deliver malware, largely driven by ChromeLoader campaigns. Often distributed through spoofed software sites and malvertising, these installers use valid, recently issued code-signing certificates to appear trusted and bypass Windows security warnings.
By isolating threats that have evaded detection tools on PCs – but still allowing malware to detonate safely inside secure containers – HP Wolf Security has specific insight into the latest techniques used by cybercriminals. To date, HP Wolf Security customers have clicked on over 50 billion email attachments, web pages, and downloaded files with no reported breaches.
Please visit the HP Threat Research Blog to view the report.
Like this:
Like Loading...
Related
This entry was posted on June 12, 2025 at 9:00 am and is filed under Commentary with tags HP. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
Beware of Malicious Cookies on Fake Booking.com Websites, Warns HP Wolf Security
HP Inc. today issued its latest Threat Insights Report, showing attackers continuing to take advantage of users’ “click fatigue” – particularly during fast paced, time-sensitive browsing moments, like booking travel deals.
With analysis of real-world cyberattacks, the report helps organizations to keep up with the latest techniques cybercriminals are using to evade detection and breach PCs in the fast-changing cybercrime landscape.
The report details an investigation into suspicious domains – related to an earlier CAPTCHA-themed campaign – which uncovered fake travel booking websites. The spoofed sites feature branding imitating booking.com, but with the content blurred, and a deceptive cookie banner designed to trick users into clicking “Accept” – triggering a download of a malicious JavaScript file.
Opening the file installs XWorm, a remote access trojan (RAT) that gives attackers full control of the device, including access to files, webcams, microphones, and the ability to deploy further malware or disable security tools.
The campaign was first detected in Q1 2025, coinciding with the peak summer holiday booking period – a time when users are particularly vulnerable to travel-themed lures. Yet it remains active, with new domains continuing to be registered and used to deliver the same booking-related lure.
Based on data from millions of endpoints running HP Wolf Security, HP threat researchers also discovered:
By isolating threats that have evaded detection tools on PCs – but still allowing malware to detonate safely inside secure containers – HP Wolf Security has specific insight into the latest techniques used by cybercriminals. To date, HP Wolf Security customers have clicked on over 50 billion email attachments, web pages, and downloaded files with no reported breaches.
Please visit the HP Threat Research Blog to view the report.
Share this:
Like this:
Related
This entry was posted on June 12, 2025 at 9:00 am and is filed under Commentary with tags HP. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.