Unicode homoglyph phishing campaign uses Japanese character to spoof Booking.com, delivering MSI malware

Security researchers warn of a new phishing campaign that uses a Unicode homoglyph to impersonate Booking.com, exploiting the way some fonts render a Japanese character to trick users at a glance. The attackers rely on the hiragana character ん (U+3093) to resemble a forward slash or the letters “/n,” enabling malicious links to look like legitimate Booking.com URLs.

The operation centers on a deceptive URL structure where a Booking.com subdomain appears to host a page, but the actual destination is a lookalike domain. One example described in security research shows a link that visually resembles a Booking.com path but redirects to www-account-booking.com instead. When clicked, victims are taken to a further redirect such as www-account-booking.com/c.php?a=0, which then serves a malicious MSI installer from a CDN.

Researchers say the MSI file is used to drop additional payloads, potentially including infostealers or remote access trojans. The campaign has been documented with samples available on MalwareBazaar and analysis on Any.run, illustrating the infection chain from the malicious installer to secondary payloads.

Homoglyphs, characters that look similar but come from different writing systems, have long been leveraged in phishing and brand-impersonation schemes. In this case, the visual similarity between the ん character and a Latin sequence fooled some users into thinking they were navigating Booking.com pages. Mozilla researchers note thatDisplay Algorithms for IDN need to balance usability and security to counter such tricks, and defenders continue to adapt today.

Separately, a related phishing campaign used a domain lookalike for Intuit. The attackers deployed an Lntuit-like name that, in certain fonts, resembles “intuit.” The message pointed users to a link that redirected to intfdsl.us/sa5h17, while the legitimate login page remains accounts.intuit.com/app/sign-in. The mobile-oriented layout of the emails aimed to entice users to click the phishing button labeled “Verify my email.”

To reduce risk, security experts urge users to hover over links to reveal true targets, verify the actual registered domain at the far right end of the address, and keep endpoint security software up to date to detect and block drive-by downloads from phishing sites. Researchers also point to resources such as the IDN Display Algorithm maintained by Mozilla to understand how punycode and homoglyphs are rendered in browsers.