Fake Booking.com Emails Trick Hotel Staff into Installing AsyncRAT via Fake CAPTCHA

by | Apr 22, 2025 | News

Fake Booking.com Emails Trick Hotel Staff into Installing AsyncRAT via Fake CAPTCHA

Post Views: 45




Join our Patreon Channel and Gain access to 70+ Exclusive Walkthrough Videos.

Patreon
Reading Time: 3 Minutes

A sophisticated phishing campaign is making rounds in the hospitality sector, using forged Booking.com emails to trick hotel employees into running malicious commands. The scam is designed to deploy AsyncRAT — a powerful remote access trojan capable of giving attackers deep control over infected systems.

Social Engineering Begins with a Familiar Name

The attack kicks off with an email that appears to originate from Booking.com, a trusted platform used by hotels worldwide. The message claims a guest left behind sensitive belongings and urges the recipient to click a “View guest information” button.

Disguised with Booking.com branding and an urgent tone, the email is a textbook example of social engineering — designed to provoke action without second thought.

Booking.com Phishing Scam Uses Fake CAPTCHA to Install AsyncRATThe phishing email

Fake CAPTCHA Masks a Dangerous Payload

Victims who follow the link are redirected to a counterfeit Booking.com page, hosted at booking.partlet-id739847.com. To further enhance the illusion, the page presents a CAPTCHA widget asking users to confirm they are not bots.

Once the box is checked, a far more dangerous set of instructions appears. Victims are asked to press WIN + R, open the Windows Run dialog, and execute a command copied to their clipboard. This tactic sidesteps browser-based download protections by getting the user to launch the malware manually.

Booking.com Phishing Scam Uses Fake CAPTCHA to Install AsyncRATFake CAPTCHA

See Also: So, you want to be a hacker?
Offensive Security, Bug Bounty Courses




Discover your weakest link. Be proactive, not reactive. Cybercriminals need just one flaw to strike.

The Malware: AsyncRAT, a Persistent and Evasive Trojan

At the heart of the scam is AsyncRAT, a widely used remote access trojan known for its stealth and flexibility. Active since 2019, it allows cybercriminals to:

  • Log keystrokes

  • Access files and steal data

  • Control desktops remotely

  • Install additional malware

  • Maintain long-term access to compromised devices

AsyncRAT is often deployed using trusted Windows processes like MSBuild.exe, making it difficult for some antivirus software to detect. Once installed, it hides in the %AppData% directory and communicates with a command-and-control server over a custom port.

Booking.com Phishing Scam Uses Fake CAPTCHA to Install AsyncRATFull sandbox report (ANY.RUN)

Growing Threat from a Proven Actor

AsyncRAT has been observed in several high-profile campaigns. Microsoft flagged its use against aerospace and travel companies in 2021. By 2023, variants like DcRAT were spreading through fake adult content links. More recently, the malware was embedded in malicious image files and used to target U.S. infrastructure in early 2024.

Its consistent evolution and open-source nature make AsyncRAT a weapon of choice for cybercriminals seeking persistence and stealth.

Trending: Integrating Metasploit with BeEF Framework for advanced post-exploitation attacks




Trending: Recon Tool: RADAR

Why This Campaign Is Especially Dangerous

Unlike common phishing scams that aim to steal passwords or login credentials, this attack takes a more insidious route: tricking users into installing the malware themselves. By guiding the victim through manual command execution, the attackers bypass traditional download filters and endpoint security mechanisms.

Successful infections could expose sensitive guest information, financial data, and internal hotel operations to external actors.

Security Advice for the Hospitality Industry

Hotel staff and IT teams are advised to remain vigilant and adopt the following best practices:

  • Do not click links in unsolicited emails, even if they appear official.

  • Never execute commands from unknown emails or websites, especially those instructing use of the Run dialog.

  • Verify URLs carefully — legitimate Booking.com links do not contain unfamiliar subdomains like partlet-id739847.

  • Report suspicious messages directly to Booking.com via official partner support channels.

  • Educate employees about phishing tactics and simulate awareness training regularly.

Trending: MITRE Warns of CVE Funding Crisis as Contract Expires April 16

Are u a security researcher? Or a company that writes articles about Cyber Security, Offensive Security (related to information security in general) that match with our specific audience and is worth sharing? If you want to express your idea in an article contact us here for a quote: [email protected]

Source: hackread.com

Source Link

Merch

Recent News

EXPLORE OUR STORE

Offensive Security & Ethical Hacking Course

Begin the learning curve of hacking now!

Information Security Solutions

Find out how Pentesting Services can help you.

Join our Community

Share This