The latest HP threats shows how the attackers continue to exploit the “clicking” exhaustion of users, especially during moments of hurried navigation such as the travel reserve.

The report, based on the analysis of real attacks, helps organizations to keep up with the most recent techniques used by cybercriminals to evade detection and access PCs.

The research details suspicious domains, related to a previous captcha -based campaign, which turned out to be false travel reserves. These websites imitated the Booking.com brand, with blurry content and a cookies banner designed to deceive the user and click on “Accept”, which triggered the download of a malicious javascript file.

When opening the file, XWORD is installed, a remote access Trojan (Rat) that allows the attackers to completely control the device, including files, webcams, microphones, and the possibility of deploying more malware or disabled security tools.

The campaign was first detected in the first quarter of 2025, coinciding with the peak of summer holiday reserves, and is still active with new domains that continue to use the same lure of reservations.

Patrick SchläpferPrincipal researcher in the HP Security Laboratory, he commented: “Since the introduction of regulations such as the GDPR, the Cookies banners have become so common that most users have adopted a habit of ‘click first, think later’. By imitating the appearance of a reserve site at a time when people are hurry, the attackers do not need advanced techniques, only one click user automatic ».

Based on the data of millions of Endpoints They execute HP Wolf Security1HP threat researchers also discovered:

  • Importive files with the naked eye: Windows library files were used to infiltrate malware in folders such as “documents” or “downloads.” A Windows Explorer pop-up was shown with a remote webdav folder and a direct access of PDF that launched the malware when clicking.
  • PowerPoint trap: A PowerPoint malicious file opened in full screen mode simulating the opening of a folder. When trying to leave, the download of a compressed file with a VBScript and an executable that downloaded a payload from Github was activated.
  • MSI installers increase: Driven by Chromeloader campaigns, this type of file has become one of the main malware vectors. They are frequently distributed through false malicious software and advertising sites, using valid code signature certificates to evade Windows security alerts.

Isolating the threats that have eluded the detection tools of the PC, allowing to observe the behavior of the malware without putting the devices at risk, HP Wolf Security1 It offers a unique vision of the most recent techniques used by cybercriminals. To date, HP Wolf Security customers1 They have clicks more than 50 billion files, sites and attachments without registering gaps.

Dr. Ian Pratt, Global Security Director for Personal Systems at HP, said: «Users have become insensitive to emerging windows and permissions requests, which facilitates the work of the attackers. Many times, they are not sophisticated techniques, but everyday routines that expose users. Isolating these high -risk moments, such as clicking unreliable content, helps companies reduce their attack surface without having to predict each threat. ”

Alex Chen
Alex Chen

Alex Chen serves as the chief editor of Asia Tech Journal, bringing over a decade of experience in technology journalism. Previously writing for several globally renowned publications, Alex is celebrated for his insightful analyses and in-depth reporting on tech trends across Asia. Passionate about innovation, Alex specializes in the dynamic technology ecosystem of China and its global impacts.