HP Wolf Security research uncovers spoofed travel booking websites with malicious cookie pop-ups that target holidaymakers ahead of the summer break.
HP Inc. issued its latest Threat Insights report, showing attackers continuing to take advantage of users’ “click fatigue” – particularly during fast paced, time-sensitive browsing moments, like booking travel deals.
With analysis of real-world cyberattacks, the report helps organisations to keep up with the latest techniques cybercriminals are using to evade detection and breach PCs in the fast-changing cybercrime landscape.
The report details an investigation into suspicious domains – related to an earlier CAPTCHA-themed campaign – which uncovered fake travel booking websites. The spoofed sites feature branding imitating booking.com, but with the content blurred, and a deceptive cookie banner designed to trick users into clicking “Accept” – triggering a download of a malicious JavaScript file.
Opening the file installs XWorm, a remote access trojan (RAT) that gives attackers full control of the device, including access to files, webcams, microphones, and the ability to deploy further malware or disable security tools.
The campaign was first detected in Q1 2025, coinciding with the peak summer holiday booking period – a time when users are particularly vulnerable to travel-themed lures. Yet it remains active, with new domains continuing to be registered and used to deliver the same booking-related lure.
Patrick Schläpfer, Principal Threat Researcher in the HP Security Lab, commented: “Since the introduction of privacy regulations such as GDPR, cookie prompts have become so normalized that most users have fallen into a habit of ‘click-first, think later.’ By mimicking the look and feel of a booking site at a time when holiday-goers are rushing to make travel plans, attackers don’t need advanced techniques – just a well-timed prompt and the user’s instinct to click.”
Based on data from millions of endpoints running HP Wolf Security, HP threat researchers also discovered:
- Impostor files hiding in plain sight: Attackers used Windows Library files to sneak malware inside familiar-looking local folders – such as “Documents” or “Downloads.” Victims were shown a Windows Explorer pop-up, displaying a remote WebDAV folder with a PDF-lookalike shortcut that launched malware when clicked.
- PowerPoint trap mimics folder opening: A malicious PowerPoint file, opened in full-screen mode, mimicking the launch of a standard folder. When users click to escape, they trigger an archive download containing a VBScript and executable – pulling a GitHub-hosted payload to infect the device.
- MSI installers on the rise: MSI installers are now among the top file types used to deliver malware, largely driven by ChromeLoader campaigns. Often distributed through spoofed software sites and malvertising, these installers use valid, recently issued code-signing certificates to appear trusted and bypass Windows security warnings.
By isolating threats that have evaded detection tools on PCs – but still allowing malware to detonate safely inside secure containers – HP Wolf Security has specific insight into the latest techniques used by cybercriminals. To date, HP Wolf Security customers have clicked on over 50 billion email attachments, web pages, and downloaded files with no reported breaches.
Dr. Ian Pratt, Global Head of Security for Personal Systems at HP Inc., commented: “Users are growing desensitized to pop-ups and permission requests, making it easier for attackers to slip through. Often, it’s not sophisticated techniques, but moments of routine that catch users out. The more exposed those interactions are, the greater the risk. Isolating high-risk moments, like clicking on untrusted content, helps businesses reduce their attack surface without needing to predict every attack.”
