Imagine receiving an email about a hotel reservation cancellation, only to find yourself staring at a fake Blue Screen of Death (BSoD) moments later. This is the chilling reality for many in the European hospitality sector, who are being targeted by a sophisticated cyberattack campaign dubbed PHALT#BLYX. But here's where it gets even more alarming: this isn't just about a simple phishing scam—it's a multi-stage operation designed to deploy DCRat, a powerful remote access trojan (RAT), onto unsuspecting systems.
Discovered in late December 2025 by cybersecurity researchers at Securonix, this campaign leverages a clever twist on the ClickFix-style lures. It begins with a phishing email impersonating Booking.com, warning recipients of an unexpected reservation cancellation. The email includes a link to a fake website, such as 'low-house[.]com,' urging victims to confirm the cancellation. Once clicked, the victim is redirected to a counterfeit Booking.com site, where they encounter a fake CAPTCHA page. This leads to a bogus BSoD page, complete with 'recovery instructions' that, when followed, execute malicious PowerShell commands.
And this is the part most people miss: these commands silently fetch and run remote code, initiating a complex process. First, the PowerShell dropper downloads an MSBuild project file ('v.proj') from '2fa-bns[.]com.' This file is then executed using 'MSBuild.exe,' a trusted system binary, to run an embedded payload. This payload performs several critical tasks: it configures Microsoft Defender Antivirus exclusions to evade detection, sets up persistence in the Startup folder, and downloads and launches DCRat from the same location.
But here's the controversial part: if the malware detects it’s running with administrator privileges, it can disable security programs entirely. If not, it enters a frustrating loop, triggering a Windows User Account Control (UAC) prompt every two seconds for three times, hoping the victim will grant it elevated permissions out of sheer exasperation. Meanwhile, to distract the victim, the PowerShell code opens the legitimate Booking.com admin page in the default browser, creating an illusion of legitimacy.
DCRat, also known as Dark Crystal RAT, is no ordinary malware. This off-the-shelf .NET trojan is designed to harvest sensitive information and expand its capabilities through a plugin-based architecture. It connects to an external server, profiles the infected system, and awaits commands from attackers. These commands can range from logging keystrokes to running arbitrary scripts and even deploying additional payloads like cryptocurrency miners.
This campaign highlights a troubling trend: threat actors are increasingly adopting living-off-the-land (LotL) techniques, abusing trusted system tools like 'MSBuild.exe' to advance their attacks. By doing so, they establish a deeper foothold and maintain persistence within compromised systems. Is this the future of cyberattacks? Or is there a way to outsmart these tactics?
Researchers note that the phishing emails include room charge details in Euros, clearly targeting European organizations. Additionally, the use of the Russian language within the 'v.proj' file suggests a link to Russian threat actors known for deploying DCRat. The campaign’s sophistication, particularly its manipulation of Windows Defender exclusions, underscores the attackers’ deep understanding of modern endpoint protection mechanisms.
What do you think? Are we doing enough to combat these evolving threats? Or are we one step behind in the cybersecurity arms race? Share your thoughts in the comments below. And if you found this article eye-opening, be sure to follow us on Google News, Twitter, and LinkedIn for more exclusive insights into the ever-changing world of cybersecurity.
