A new multi-stage malware campaign targeting hospitality organizations during the peak holiday season has been observed, using social engineering techniques such as fake CAPTCHA prompts and simulated Blue Screen of Death (BSOD) errors to trick users into manually executing malicious code.
Tracked as PHALT#BLYX by Securonix threat researchers, the operation started with phishing emails impersonating Booking.com reservation cancellations. These messages highlighted high-value room charges, often exceeding €1000, to create urgency. Once a victim clicked through, they were redirected to a convincing clone of the Booking.com website that initiated the attack chain.
Securonix said the campaign represents an evolution from earlier, less evasive techniques. Previous versions relied on HTML application files and mshta.exe. The latest iteration instead abuses MSBuild.exe, a trusted Microsoft utility, to compile and execute a malicious project file. This living-off-the-land (LOTL) approach enables the malware to bypass many endpoint security controls.
Victims are prompted to follow on-screen instructions that paste a PowerShell command from the clipboard into the Windows Run dialog. That command downloads a project file, which MSBuild.exe then executes.
The final payload is a heavily obfuscated variant of DCRat, a remote access Trojan commonly sold on Russian-language underground forums, that enables keylogging, process injection and the deployment of secondary malware.
Read more on social engineering attacks: Anatomy of a Service Desk Social Engineering Attack
Attribution and Security Recommendations
Securonix researchers noted multiple indicators linking the activity to Russian-speaking threat actors.
These include Cyrillic debug strings embedded in the malware and the use of the aforementioned DCRat. The phishing lures feature charges in Euros, suggesting a focus on European hospitality businesses.
The attackers also took steps to ensure persistence and evasion. Windows Defender exclusions were added for common file types and directories, while the malware established startup persistence using Internet Shortcut files rather than more common registry methods.
To defend against this and similar threats, Securonix recommended a combination of user education and enhanced endpoint monitoring.
Key defensive measures include:
-
Training staff to recognize ClickFix tactics and never paste commands prompted by browser pages
-
Treating urgent booking-related emails with caution and verifying requests through official channels
-
Closely monitoring the use of trusted binaries such as MSBuild.exe for abnormal behavior
The researchers added that as attackers increasingly rely on legitimate system tools and user interaction to bypass security controls, organizations must prioritize behavioral detection and process-level visibility alongside traditional phishing defenses.
