PHALT#BLYX: Fake Booking.com Emails and ClickFix BSoD Trap Deploy DCRat Malware on Hotel Systems

Security researchers at Securonix have identified a sophisticated attack campaign specifically engineered to compromise hotel computer systems across Europe. Dubbed PHALT#BLYX, the operation combines convincing Booking.com impersonation with an innovative social engineering technique that manipulates victims into infecting their own machines.

From Reservation Cancellation to System Compromise

The infection sequence begins with carefully crafted phishing emails mimicking official Booking.com communications. Recipients receive urgent notifications about unexpected reservation cancellations, complete with links to "confirm" the customer's request.

Clicking the embedded link redirects victims to fraudulent domains hosting pixel-perfect replicas of Booking.com's interface. However, instead of legitimate booking management, users encounter a fake CAPTCHA verification followed by a refresh button. Selecting this button triggers the campaign's signature element: a convincing Blue Screen of Death that appears to indicate a critical system failure.

Weaponizing User Trust Through Fake Recovery Instructions

Here the attack diverges from traditional malware delivery. Rather than attempting downloads that antivirus solutions might intercept, the fake BSoD presents "recovery instructions" that victims are encouraged to follow manually.

Users are guided to open the Windows Run dialog, paste a specific command, and press Enter. This technique exploits the fundamental trust users place in troubleshooting procedures. The psychological manipulation proves remarkably effective—victims believe they're fixing a computer problem when they're actually executing malicious PowerShell code.

To maintain the deception, the script simultaneously opens the legitimate Booking.com administration portal in the default browser, creating a convincing distraction while background processes establish persistence.

Living Off the Land with MSBuild

Once the victim executes the initial PowerShell command, the attack leverages legitimate Windows tools to avoid detection. The dropper downloads an MSBuild project file from attacker-controlled infrastructure, then executes it through Microsoft's own build utility.

When standard privileges limit the malware's options, it doesn't simply fail. Instead, it initiates a UAC spam attack, repeatedly prompting users for elevated permissions until frustration or confusion leads them to click "Yes."

A Full-Featured Remote Access Trojan

DCRat provides attackers with comprehensive control over compromised systems. Core functionality includes keystroke logging to capture credentials and sensitive data, arbitrary command execution for flexible post-compromise operations, and modular architecture supporting deployment of additional payloads.

While definitive attribution remains elusive, linguistic analysis of the campaign's MSBuild project files reveals Russian-language artifacts, suggesting potential ties to Russian-speaking threat actors with established DCRat expertise.

Protecting Hospitality Operations

Organizations in the hospitality sector should implement multi-layered defenses against this attack pattern:

Staff Training

• Awareness of ClickFix techniques
• Never execute commands from external sources
• Verify booking issues through official channels

Technical Controls

• PowerShell execution policies restricting unauthorized scripts
• Application whitelisting preventing MSBuild abuse
• Email filtering for Booking.com impersonation

Given the campaign's reliance on social engineering, security awareness programs should specifically address the psychological manipulation tactics employed—the artificial urgency, the fake system errors, and the false recovery procedures that make ClickFix attacks so effective.