Threat Insights Report – June 2025

Each quarter our security experts highlight notable malware campaigns, trends and techniques identified by HP Wolf Security. By isolating threats that have evaded detection tools and made it to endpoints, HP Wolf Security gives an insight into the latest techniques used by cybercriminals, equipping security teams with the knowledge to combat emerging threats and improve their security postures.1 This edition of the report describes notable threats seen in the wild in Q1 2025. Executive Summary

In Q1 2025, the HP Threat Research team tracked a large malware campaign where attackers deployed fake travel websites with malicious cookie consent banners to infect holiday bookers’ PCs with XWorm, a remote access trojan (RAT). Potential victims are directed to websites imitating Booking.com, a popular travel reservation website, where they are prompted to accept a fake cookie banner that downloads and runs the malware on their computer. The attackers tried to take advantage of users’ “click fatigue” when it comes to accepting or dismissing cookie banners. This activity is an evolution of campaigns seen in Q4 2024 that relied on fake CAPTCHA challenges to trick users into running malicious PowerShell commands on their devices to deploy malware.