Threat Actors Deploy XWorm Malware via Fake Travel Websites to Infect Users’ PCs

The HP Threat Research team discovered a sophisticated malware campaign in Q1 2025 that targets vacation planners by imitating Booking.com using phony travel websites.

As detailed in the latest HP Wolf Security Threat Insights Report, attackers are leveraging users’ “click fatigue” with cookie consent banners to deploy XWorm, a dangerous remote access trojan (RAT).

Exploiting Click Fatigue

Unsuspecting users, directed to these deceptive sites, encounter a counterfeit cookie banner that, when accepted, triggers the download of a malicious JavaScript file.

Disguised as part of the routine browsing experience mandated by GDPR compliance since 2018, this social engineering tactic exploits the habitual dismissal of such pop-ups, making it alarmingly effective.

Once activated, the JavaScript retrieves two PowerShell scripts camouflaged with an .mp4 extension to evade detection in web proxy logs that initiate the installation of XWorm, enabling attackers to remotely control infected systems and exfiltrate ...