Cybersecurity experts have uncovered details of a newly identified campaign known as PHALT#BLYX that has utilized ClickFix-type baits to offer solutions for fake blue screen of death (BSoD) errors in assaults aimed at the European hospitality industry.
The primary objective of this multi-stage operation is to deploy a remote access trojan named DCRat, as per findings from cybersecurity firm Securonix. The malicious activity was first detected in late December 2025.
According to researchers Shikha Sangwan, Akshay Gaikwad, and Aaron Beardslee, the attackers employ a deceptive Booking.com reservation cancellation lure to initiate the assault, coercing victims into running malicious PowerShell commands that clandestinely retrieve and execute remote code.
The attack chain commences with a phishing email masquerading as Booking.com, containing a link to a counterfeit website like “low-house[.]com.” Recipients are warned about unexpected reservation cancellations and urged to click the link to confirm the cancellation.
The fake website impersonating Booking.com presents victims with a phony CAPTCHA page that redirects them to a counterfeit BSoD page with “recovery instructions” to execute a PowerShell command, ultimately leading to the deployment of DCRat.
Specifically, the PowerShell dropper initiates a sequence involving the downloading of an MSBuild project file (“v.proj”) from “2fa-bns[.]com,” which is then executed using “MSBuild.exe” to run an embedded payload responsible for configuring Microsoft Defender Antivirus exclusions to avoid detection, establishing persistence on the host in the Startup folder, and launching the RAT malware after downloading it from the same location as the MSBuild project.
If it identifies the presence of a security program running with administrative privileges, the malware can disable it entirely. In cases where it lacks elevated rights, the malware engages in a loop that triggers a Windows User Account Control (UAC) prompt every two seconds for three attempts, hoping that the victim will grant the necessary permissions out of frustration.
Simultaneously, the PowerShell script opens the legitimate Booking.com admin page in the default browser as a distraction tactic, aiming to deceive the victim into perceiving the action as legitimate.
DCRat, also known as Dark Crystal RAT, is a pre-built .NET trojan capable of harvesting sensitive data and expanding its capabilities through a plugin-based structure. It can connect to an external server, profile the infected system, and await commands from the server, enabling threat actors to capture keystrokes, execute arbitrary commands, and deliver additional payloads such as a cryptocurrency miner.
This campaign illustrates how threat actors leverage living-off-the-land (LotL) techniques by exploiting trusted system binaries like “MSBuild.exe” to progress through the attack phases, establish a deeper foothold, and maintain persistence on compromised systems.
Securonix noted that the phishing emails prominently feature room charge details in Euros, indicating a specific focus on European entities. The presence of the Russian language within the ‘v.proj’ MSBuild file links this activity to Russian threat actors utilizing DCRat.
The utilization of a customized MSBuild project file for proxy execution, combined with aggressive manipulation of Windows Defender exclusions, showcases a profound understanding of contemporary endpoint protection mechanisms.
