Cybercriminals Exploit Fake Travel Sites to Spread XWorm Malware

In the first quarter of 2025, cybercriminals launched a large-scale malware campaign targeting holiday bookers by creating fake travel websites that closely mimic Booking.com.

According to HP Wolf Security’s latest Threat Insights Report, these fraudulent sites deploy convincing cookie consent banners required under GDPR to trick users into clicking and downloading malware.

Attackers are leveraging what security experts call “click fatigue,” the tendency to rapidly accept or dismiss cookie prompts, to increase the likelihood of successful infection.

This campaign marks an evolution of earlier attacks seen in late 2024, which used fake CAPTCHA challenges to deliver malware via malicious PowerShell scripts.

The new method involves a JavaScript prompt, disguised as a cookie consent dialog. When users click “accept,” a JavaScript file is downloaded and, once opened, executes two PowerShell scripts in the background.

Notably, these scripts use the .mp4 file extension to evade detection by network proxies, a technique referred to as T1036.008 in the MITRE ATT&CK framework.

Technical Infection Chain and Exploitation Details

The infection process is multi-layered and highly technical. After a successful download, the scripts run as an inconspicuous process, downloading the primary payload from the same IP address.

The next stage involves a .NET program, js.exe, dynamically compiled at runtime and loaded into memory using PowerShell (T1620).

This technique, known as “living off the land,” makes detection and analysis more challenging.

To ensure persistence and stealth, the malware injects its final payload—the XWorm remote access trojan (RAT) into a legitimate Microsoft process, MSBuild.exe.

The injector writes malicious code into the memory of this process, then resumes the thread to execute the payload (T1055.012). XWorm enables attackers to remotely control infected systems, exfiltrate sensitive data, and install additional malware.

Innovative Tactics and Broader Threat Landscape

These campaigns highlight the increasing use of sophisticated social engineering and novel file formats by cybercriminals.

For example, attackers are now abusing Windows library files (.ms-library) and Scalable Vector Graphics (.svg) to deliver malware via email.

These files appear harmless, but once opened, they connect to remote WebDAV shares and trigger infection chains.

In some instances, shortcuts masquerading as PDFs are embedded in libraries, launching scripts that download and execute further malware, including well-known RATs like DCRat and AsyncRat.

HP’s research also notes a significant rise in malicious MSI installers, often distributed through spoofed software sites and malvertising.

These installers use valid code-signing certificates to bypass Windows security warnings, further complicating detection efforts.

Additionally, threats delivered via email remain the dominant infection vector, accounting for 62% of endpoint threats in Q1 2025, with a 9% increase over the previous quarter.

Defending Against Modern Cyber Threats

Security professionals recommend keeping endpoint protection solutions updated and enabling advanced threat intelligence services.

User education is crucial, particularly regarding the risks of clicking on unfamiliar links or prompts.

By staying informed about the latest attack techniques and utilizing robust security tools, organizations can more effectively defend against these evolving threats.

In summary, the recent surge in fake travel site campaigns demonstrates cybercriminals’ relentless innovation, as they exploit both user behavior and technical loopholes to spread sophisticated malware, such as XWorm.

Vigilance and proactive security measures are more critical than ever in the fight against cybercrime.