- A campaign called PHALT#BLYX used fake ClickFix-style pages to show bogus blue screen of death errors and trick victims into running commands.
- Phishing emails impersonated Booking.com and redirected targets to a site that prompted a Run-dialog PowerShell command, which fetched a multi-stage loader.
- The loader used a custom MSBuild project to run payloads via MSBuild.exe, disable or evade Microsoft Defender Antivirus, and install the DCRat remote access trojan.
- Indicators include domains like 2fa-bns[.]com and room charges in Euros, suggesting a focus on European hospitality organizations and links to Russian-language components.
Researchers at Securonix disclosed a late-December 2025 campaign named PHALT#BLYX that targeted European hospitality organizations to deliver the remote access trojan DCRat. The attack used fake ClickFix-style pages showing a bogus blue screen of death to trick victims into running commands.
“For initial access, the threat actors utilize a fake Booking.com reservation cancellation lure to trick victims into executing malicious PowerShell commands, which silently fetch and execute remote code,” researchers noted in their report linked to Securonix (Malware-infection/”>read more).
The attack begins with a phishing email impersonating Booking.com, warning of a reservation cancellation and linking to a fake site. The site serves a CAPTCHA and then a fake BSoD page with “recovery instructions” that ask users to open the Run dialog and paste a command. That command runs a PowerShell dropper.
The PowerShell dropper downloads a custom MSBuild project file named “v.proj” from 2fa-bns[.]com and executes it with MSBuild.exe. The embedded payload adjusts Microsoft Defender Antivirus exclusions, establishes persistence in the Startup folder, and downloads and launches DCRat.
If run with administrator privileges, the malware can disable Defender; otherwise it triggers a User Account Control prompt repeatedly to try to gain elevation. The code also opens the real Booking.com admin page as a distraction.
DCRat is a .NET RAT that can profile systems, log keystrokes, execute commands, and load plugins such as cryptocurrency miners. “The phishing emails notably feature room charge details in Euros, suggesting the campaign is actively targeting European organizations,” and “The use of a customized MSBuild project file to proxy execution, coupled with aggressive tampering of Windows Defender exclusions, demonstrates a deep understanding of modern endpoint protection mechanisms,” Securonix added.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
Previous Articles:
- Lighter’s LIT jumps 37% amid buybacks and whale buys in DeFi
- Bitcoin Core v30 bug can erase BDB wallets; binaries pulled.
- Crypto Market Surges $250B as Bitcoin Tops $92K, Sui Rallies
- Jefferies Raises Nvidia FY2026 Target to $240, Sees 28% Gain
- Schiff Urges Sell of Venezuela-Inspired BTC Rally, Buy Gold.
