Russia-linked hackers are sneaking malware into European hotels and other hospitality outfits by tricking staff into installing it themselves through fake Windows Blue Screen of Death (BSOD) crashes.
In a report published this week, Securonix threat researchers said they have been tracking a stealthy infection campaign they’re calling PHALT#BLYX, centered around a social engineering variant of the infamous ClickFix attack that begins with phishing emails mimicking Booking.com reservation cancellations.
The setup is straightforward: a hotel worker receives an email that appears to be from Booking.com, usually warning about an eye-watering charge in euros. When they follow the “See details” link, they’re taken to what looks like a real Booking.com page – except instead of a reservation, they’re met with a fake verification screen that quickly gives way to a full-screen Windows BSOD scare.
The bogus BSOD is designed to panic the user into “fixing” the non-existent error by performing a series of steps that ultimately have them paste and execute a malicious PowerShell command, the classic hallmark of a ClickFix attack. Because the victim manually runs the code themselves, it sidesteps many automated security controls that would block traditional drive-by malware download methods.
Once the command is executed, the system quietly downloads additional files and uses a legitimate Windows component to execute the attackers’ code, helping the malware blend in with regular activity and slip past security tools. The end result is the installation of a remote access trojan that gives the intruders ongoing control of the compromised machine, allowing them to spy on activity and deliver further malicious software, according to Securonix.
The security firm notes that the attackers have evolved their infection chain over several months, moving away from earlier, simpler HTML Application techniques to the more sophisticated MSBuild-based execution. That shift makes the malicious activity harder to detect with conventional antivirus tools.
The emphasis on euro-denominated charges and the targeting of hospitality organizations during a busy holiday season suggests a campaign squarely aimed at European companies, the researchers said. There are additional artifacts in the MSBuild project file that indicate Russian-language usage, and the DCRat family itself is widely traded on Russian underground forums, strengthening suspicions that miscreants linked to Russia may be responsible. ®
