Threat Actors Deploy XWorm Malware via Fake Travel Websites to Infect Users’ PCs

The HP Threat Research team discovered a sophisticated malware campaign in Q1 2025 that targets vacation planners by imitating Booking.com using phony travel websites.

As detailed in the latest HP Wolf Security Threat Insights Report, attackers are leveraging users’ “click fatigue” with cookie consent banners to deploy XWorm, a dangerous remote access trojan (RAT).

Exploiting Click Fatigue

Unsuspecting users, directed to these deceptive sites, encounter a counterfeit cookie banner that, when accepted, triggers the download of a malicious JavaScript file.

Disguised as part of the routine browsing experience mandated by GDPR compliance since 2018, this social engineering tactic exploits the habitual dismissal of such pop-ups, making it alarmingly effective.

Once activated, the JavaScript retrieves two PowerShell scripts camouflaged with an .mp4 extension to evade detection in web proxy logs that initiate the installation of XWorm, enabling attackers to remotely control infected systems and exfiltrate sensitive data.

Multi-Stage Infection Chain

The technical depth of this campaign reveals a multi-stage infection process designed to bypass traditional security measures.

After the initial JavaScript download, the PowerShell scripts fetch a .NET binary (js.exe) from the same malicious IP, which then compiles another executable at runtime using dynamic code compilation (T1027.004).

This binary acts as a process injector, embedding the XWorm payload into a legitimate process like MSBuild.exe via process hollowing (T1055.012), ensuring stealthy execution.

This approach not only demonstrates the attackers’ innovation in evading endpoint detection but also highlights their shift from earlier tactics seen in Q4 2024, such as fake CAPTCHA challenges, to more subtle lures like cookie banners.

The campaign’s effectiveness is further amplified by registering domains as early as February 23, 2025, allowing threat actors to craft convincing imitations of travel platforms.

Beyond XWorm, HP Sure Click also intercepted related campaigns in Q1 using unusual file formats like Windows library files (.ms-library) and Scalable Vector Graphics (.svg) to distribute other RATs such as DCRat and AsyncRat via email attachments and WebDAV shares disguised as local folders.

This campaign is part of a broader surge in malware targeting travel booking platforms, with HP researchers noting an uptick in malicious MSI installers driven by ChromeLoader activity, often spread through spoofed software sites.

Email remains the dominant vector, accounting for 62% of threats stopped by HP Sure Click, while archives like RAR and ZIP lead as the most abused file types at 38%.

The strategic use of trusted public services for hosting malware payloads further complicates detection, underscoring the need for robust endpoint security and user awareness.

As cybercriminals continue to refine their social engineering toolkits, exploiting everyday digital interactions like cookie consents, organizations and individuals must prioritize advanced threat isolation and remain vigilant against seemingly innocuous prompts to safeguard against evolving cyber threats like XWorm.

Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates