PHALT#BLYX targets European hotels with fake Booking emails and BSoD lures, tricking staff into installing the DCRat remote access trojan.

Researchers uncovered a late-December 2025 campaign, dubbed PHALT#BLYX, targeting European hotels with fake Booking-themed emails.

Victims are redirected to bogus BSoD pages using ClickFix-style lures that prompt them to apply “fixes.” The multi-stage attack ultimately installs the DCRat remote access trojan, enabling full remote control of infected systems, according to Securonix.

“An ongoing malware campaign tracked as PHALT#BLYX has been identified as a multi-stage infection chain that begins with the click-fix and fake captcha social engineering tactic and deploys a customized DCRat payload.” reads the report published by Securonix. “For initial access, the threat actors utilize a fake booking.com reservation cancellation lure to trick victims into executing malicious PowerShell commands, which silently fetch and execute remote code. This happens via multi-stages involving powershell, proj files and msbuild.”

The PHALT#BLYX campaign targets European hospitality firms using phishing emails themed as Booking.com.

Victims are lured to fake websites with CAPTCHA prompts that trigger a fake Blue Screen of Death (BSoD), tricking users into running malicious PowerShell commands (“ClickFix”).

“The email alerts the recipient to a “Reservation Cancellation” and prominently displays a significant financial charge (e.g., €1,004.38). This high-value charge creates a sense of urgency and panic, compelling the victim to investigate immediately.” continues the report. “Once they click the “See Details” button to verify the charge. The link does not lead to Booking.com. Instead, it routes the user through an intermediate redirector (`oncameraworkout[.com/ksbo`) before landing on the malicious domain `low-house[.com`.”

This downloads an MSBuild project file, compiled via MSBuild.exe to deploy a heavily obfuscated DCRat payload. DCRat enables remote access, keylogging, process hollowing, persistence, and secondary payload delivery. The campaign evolved from earlier, easier-to-detect HTA-based delivery to stealthier “living off the land” techniques using MSBuild. Emails reference euro-denominated bookings, and Russian-language artifacts link the activity to Russian-speaking threat actors.

Attackers use an XML-based MSBuild project file (v.proj) to abuse a trusted Windows tool, proxying execution and running an embedded PowerShell script.

In the final stage of the attack, the malware deploys DCRat through a packed .NET loader named staxs.exe. The loader decrypts its embedded configuration using strong encryption based on AES‑256 and PBKDF2. To survive reboots, it establishes persistence by creating a deceptive Internet Shortcut (.url) file in the Windows Startup folder. Once active, the malware connects to one of several command‑and‑control domains and begins profiling the infected system, collecting details about the user and environment. To evade detection, it injects its payload into legitimate Windows processes using process hollowing, allowing the attacker to maintain stealthy and long‑term remote control of the compromised machine.

“The PHALT#BLYX campaign represents a sophisticated evolution in commodity malware delivery, seamlessly blending high-pressure social engineering with advanced “Living off the Land” techniques The psychological manipulation, combined with the abuse of trusted system binaries like `MSBuild.exe`, allows the infection to establish a foothold deep within the victim’s system before traditional defenses can react.” concluders the report. “The technical complexity of the infection chain reveals a clear intent to evade detection and maintain long-term persistence.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini****

(SecurityAffairs** – hacking, PHALT#BLYX)**