Sydney, Australia June 13, 2025 — HP Inc. (NYSE: HPQ) has issued its latest Threat Insights Report, showing attackers continuing to take advantage of users’ “click fatigue” – particularly during fast paced, time-sensitive browsing moments, like booking travel deals.
With analysis of real-world cyberattacks, the report helps organiszations to keep up with the latest techniques cybercriminals are using to evade detection and breach PCs in the fast-changing cybercrime landscape.
The report details an investigation into suspicious domains – related to an earlier CAPTCHA-themed campaign – which uncovered fake travel booking websites. The spoofed sites feature branding imitating booking.com, but with the content blurred, and a deceptive cookie banner designed to trick users into clicking “Accept” – triggering a download of a malicious JavaScript file.
Opening the file installs XWorm, a remote access trojan (RAT) that gives attackers full control of the device, including access to files, webcams, microphones, and the ability to deploy further malware or disable security tools.
The campaign was first detected in Q1 2025, coinciding with the peak summer holiday booking period – a time when users are particularly vulnerable to travel-themed lures. Yet it remains active, with new domains continuing to be registered and used to deliver the same booking-related lure.
Patrick Schläpfer, Principal Threat Researcher in the HP Security Lab, comments:
"Since the introduction of privacy regulations such as GDPR, cookie prompts have become so normalized that most users have fallen into a habit of ‘click-first, think later.’ By mimicking the look and feel of a booking site at a time when holiday-goers are rushing to make travel plans, attackers don’t need advanced techniques - just a well-timed prompt and the user’s instinct to click.”
Based on data from millions of endpoints running HP Wolf Security1, HP threat researchers also discovered:
- Impostor Files Hiding In Plain Sight: Attackers used Windows Library files to sneak malware inside familiar-looking local folders – such as “Documents” or “Downloads.” Victims were shown a Windows Explorer pop-up, displaying a remote WebDAV folder with a PDF-lookalike shortcut that launched malware when clicked.
- PowerPoint Trap Mimics Folder Opening: A malicious PowerPoint file, opened in full-screen mode, mimicking the launch of a standard folder. When users click to escape, they trigger an archive download containing a VBScript and executable – pulling a GitHub-hosted payload to infect the device.
- MSI Installers on the Rise: MSI installers are now among the top file types used to deliver malware, largely driven by ChromeLoader campaigns. Often distributed through spoofed software sites and malvertising, these installers use valid, recently issued code-signing certificates to appear trusted and bypass Windows security warnings.
By isolating threats that have evaded detection tools on PCs – but still allowing malware to detonate safely inside secure containers – HP Wolf Security1 has specific insight into the latest techniques used by cybercriminals. To date, HP Wolf Security1 customers have clicked on over 50 billion email attachments, web pages, and downloaded files with no reported breaches.
Dr. Ian Pratt, Global Head of Security for Personal Systems at HP Inc., comments:
“Users are growing desensitised to pop-ups and permission requests, making it easier for attackers to slip through. Often, it’s not sophisticated techniques, but moments of routine that catch users out. The more exposed those interactions are, the greater the risk. Isolating high-risk moments, like clicking on untrusted content, helps businesses reduce their attack surface without needing to predict every attack.”
Please visit the HP Threat Research Blog to view the report.
Key Facts:
News Highlights
· Latest HP Threat Insights Report highlights fake travel websites with malicious cookie consent banners being used to take control of holiday bookers’ devices.
· Report shows threat actors using Windows Library files to disguise malware as PDFs inside familiar-looking local folders like “Documents.”
· MSI installers are now among the top file types used to deliver malware, largely driven by ChromeLoader campaigns.
About us:
About HP
HP Inc. is a global technology leader and creator of solutions that enable people to bring their ideas to life and connect to the things that matter most. Operating in more than 170 countries, HP delivers a wide range of innovative and sustainable devices, services and subscriptions for personal computing, printing, 3D printing, hybrid work, gaming, and more. For more information, please visit http://www.hp.com.
About HP Wolf Security
HP Wolf Security is world class endpoint security. HP’s portfolio of hardware-enforced security and endpoint-focused security services are designed to help organisations safeguard PCs, printers, and people from circling cyber predators. HP Wolf Security provides comprehensive endpoint protection and resiliency that starts at the hardware level and extends across software and services. Visit https://hp.com/wolf.
1. HP Wolf Security for Business requires Windows 10 or 11 Pro and higher, includes various HP security features and is available on HP Pro, Elite, RPOS and Workstation products. See product details for included security features.
Contact details:
hp.com/go/newsroom
