Ddos 
Abusing the Booking.com brand | Image: Securonix
A sophisticated new cyber-espionage campaign is targeting the hospitality industry, turning everyday booking management into a nightmare scenario. Securonix threat researchers have uncovered a stealthy operation dubbed PHALT#BLYX, which employs a devious mix of social engineering and “living-off-the-land” techniques to deploy Russian-linked remote access trojans (RATs).
The campaign is notable for its use of the “click-fix” tactic—trickery that convinces frustrated users to copy and paste malicious code to resolve a fake computer error.
The attack begins innocuously enough: a phishing email tailored to hospitality staff, mimicking a reservation cancellation or inquiry from Booking.com. When a victim clicks the link, they aren’t taken to a travel site, but to a malicious trap.
The landing page presents a fake CAPTCHA challenge that invariably fails, triggering a terrifying sight for any employee: a fake Blue Screen of Death (BSOD).
“The website holds a fake captcha, that leads to a fake ‘Blue Screen of Death’ page,” the report explains. “It is a trick for click-fix that executes a PowerShell command to download a proj file”.
Victims are instructed to “fix” the crash by pasting a specific PowerShell script into their terminal. In reality, they are hand-delivering the malware into their own system.
Once the PowerShell code is executed, the attackers leverage legitimate Windows tools to bypass security scanners. The operation relies heavily on MSBuild.exe, a trusted developer tool used to build software, to compile and run their malware.
“The technical complexity of the infection chain reveals a clear intent to evade detection and maintain long-term persistence,” Securonix researchers noted.
By using a “customized MSBuild project file to proxy execution,” the attackers can sneak their payload past endpoint defenses. The final stage involves injecting the malware into legitimate processes like aspnet_compiler.exe, effectively “masking the malicious activity behind the facade of standard system operations”.
The payload at the heart of this campaign is DCRat (DarkCrystal RAT), a powerful tool that grants attackers full remote control over the infected machine. Later stages of the attack have also been observed deploying AsyncRAT, adding layers of redundancy.
“Beneath the surface, the deployed AsyncRAT payload exhibits a high degree of resilience and operational security,” the analysis states.
The report highlights that “the presence of native Russian language artifacts within the deployment scripts provides strong attribution clues,” linking the operation to Russian-speaking threat actors.
The PHALT#BLYX campaign serves as a stark reminder that attackers are constantly evolving their social engineering playbooks. By combining the psychological pressure of a “crashed” computer with the technical stealth of legitimate system tools, they create a potent threat.
Securonix advises organizations to look deeper than simple file scans. “As these tactics continue to evolve, organizations must look beyond file-based detection and focus on behavioral anomalies and process lineage to identify and stop these multi-staged attacks”.
Donate