HP Wolf Security research has uncovered spoofed travel booking websites with malicious cookie pop-ups targetting holidaymakers ahead of the summer break. The company’s latest Threat Insights Report shows that attackers continue to take advantage of users’ click fatigue – particularly during fast-paced, time-sensitive browsing moments, like booking travel deals.
With analysis of real-world cyberattacks, the report helps organisations to keep up with the latest techniques cybercriminals are using to evade detection and breach PCs in the fast-changing cybercrime landscape.
The report details an investigation into suspicious domains, related to an earlier CAPTCHA-themed campaign, which uncovered fake travel booking websites. The spoofed sites feature branding imitating booking.com, but with the content blurred and a deceptive cookie banner designed to trick users into clicking Accept, triggering a download of a malicious JavaScript file.
Opening the file installs XWorm, a remote access trojan that gives attackers full control of the device, including access to files, webcams, microphones, and the ability to deploy further malware or disable security tools.
The campaign was first detected in the first quarter of 2025, coinciding with the peak summer holiday booking period, a time when users are particularly vulnerable to travel-themed lures. Yet it remains active, with new domains continuing to be registered and used to deliver the same booking-related lure.
“Since the introduction of privacy regulations such as GDPR, cookie prompts have become so normalised that most users have fallen into a habit of click-first, think later,” says HP Security Labs Principal Threat Researcher Patrick Schläpfer. “By mimicking the look and feel of a booking site at a time when holiday-goers are rushing to make travel plans, attackers don’t need advanced techniques – just a well-timed prompt and the user’s instinct to click.”
Based on data from millions of endpoints running HP Wolf Security, threat researchers also discovered:
-
Impostor files hiding in plain sight: Attackers used Windows Library files to sneak malware inside familiar-looking local folders, such as Documents or Downloads. Victims were shown a Windows Explorer pop-up, displaying a remote WebDAV folder with a PDF-lookalike shortcut that launched malware when clicked.
-
PowerPoint trap mimics folder opening: A malicious PowerPoint file, opened in full-screen mode, mimicking the launch of a standard folder. When users click to escape, they trigger an archive download containing a VBScript and executable, pulling a GitHub-hosted payload to infect the device.
-
MSI installers on the rise: MSI installers are now among the top file types used to deliver malware, largely driven by ChromeLoader campaigns. Often distributed through spoofed software sites and malvertising, these installers use valid, recently issued code-signing certificates to appear trusted and bypass Windows security warnings.
-
By isolating threats that have evaded detection tools on PCs but still allowing malware to detonate safely inside secure containers, HP Wolf Security has specific insight into the latest techniques used by cybercriminals. To date, HP Wolf Security customers have clicked on over 50 billion email attachments, web pages, and downloaded files with no reported breaches.
“Users are growing desensitised to pop-ups and permission requests, making it easier for attackers to slip through,” said Global Head of Security for Personal Systems Ian Pratt. “Often, it’s not sophisticated techniques, but moments of routine that catch users out. The more exposed those interactions are, the greater the risk. Isolating high-risk moments, like clicking on untrusted content, helps businesses reduce their attack surface without needing to predict every attack.”
You can read the full report here.
