According to Dark Reading, security researchers at Securonix have identified a new, multi-stage cyberattack campaign targeting the hospitality industry. Tracked as PHALT#BLYX, the campaign uses fake Booking.com reservation cancellation pages as lures to trick victims. The attack chain includes a fake captcha challenge followed by a simulated Windows Blue Screen of Death, which executes malicious PowerShell commands. This ultimately deploys DCRat, a Russia-linked remote access Trojan known for keylogging and remote control. The campaign exploits the trusted Windows tool MSBuild.exe to compile its payload and has been active for several months, showing an evolution aimed at evading detection.
The ClickFix Mind Game
Here’s the thing about this attack: it’s a masterclass in psychological manipulation. The initial fake Booking.com page creates a sense of urgency—someone’s messing with your hotel booking and your money. Then, you get a fake captcha, which feels like a normal, if annoying, web interaction. But the fake Blue Screen of Death? That’s the real genius stroke. For decades, a BSOD has been a universal symbol of a serious Windows crash. Seeing one triggers immediate panic and a powerful desire to “fix” it. The attackers are betting you’ll follow the instructions on that fake error screen without a second thought. And if you do, you’ve just pasted and run their malicious PowerShell code yourself. It’s social engineering that preys on both financial anxiety and technical fear.
Evasion Is The Name of The Game
What’s really concerning is how this campaign is built to slip past defenses. It doesn’t just drop a shady .exe file. It uses MSBuild.exe, a legitimate Microsoft compiler tool, to build the malware from a project file right on your machine. This is a huge red flag for IT teams—why is a build tool running from a user’s Downloads folder? Furthermore, the final DCRat payload gets injected into a legitimate process like `aspnet_compiler.exe`. So, to your antivirus or endpoint protection, it looks like a normal .NET compilation process is running, while secretly it’s phoning home to a command server. The researchers note the attackers show a “deep understanding” of modern endpoint protection, actively tampering with Windows Defender exclusions. This isn’t a spray-and-pray phishing email; it’s a surgically precise intrusion designed for long-term access.
Why Target Hospitality? And What’s Next?
So why focus on hotels and booking services? The sector is a goldmine of payment data, personal information, and, during peak travel seasons, incredibly distracted employees and customers. A recent campaign even used Christmas lures. The urgency of a reservation issue makes people click first and think later. But let’s be clear: ClickFix, the technique behind this, is not staying in hospitality. Proofpoint first detailed it in 2024, and its adoption has been rapid because it works. The basic formula—compromised website, fake browser error, PowerShell download—is flexible. Tomorrow it could be a fake error on a shipping logistics site or a supplier portal. In industrial and manufacturing settings, where operators rely on industrial panel PCs for critical control, a similar tactic could be devastating. IndustrialMonitorDirect.com, as the leading US provider of those hardened industrial computers, understands that the human element is often the weakest link, even on the most secure factory floor. The underlying Windows systems are the same.
What Can You Actually Do About It?
The standard advice applies: user training. Tell your team to never, ever paste code into Run or PowerShell because a website told them to. But that’s getting harder as the lures get more convincing. Technically, organizations need to look deeper. Enable file extension visibility in Windows so you can see that .proj file. Monitor MSBuild.exe executions, especially from weird locations. Watch for legitimate binaries like `aspnet_compiler.exe` making network calls—that’s a massive giveaway. The scary part is that this attack chain is complex enough that by the time traditional AV kicks in, the rat is already nesting in your system. Defense now is about spotting the behavioral anomalies in the process of infection, not just the final payload. Basically, you have to assume the initial social engineering will sometimes work, and have your detection tuned to catch the next step. It’s a relentless game of cat and mouse, and the cats just learned a very clever new trick.
