ClickFix Social Engineering Attacks Targeting European Hospitality Sector
Suspected Russian cybercriminals have launched a sophisticated phishing campaign targeting the European hospitality industry, leveraging fake Windows Blue Screen of Death (BSOD) pages to distribute malware. The attack, tracked as "PHALT#BLYX" by Securonix researchers, begins with phishing emails impersonating popular booking platforms such as Booking.com, often using reservation cancellation lures with details in Euros to specifically target hotels, hostels, and inns in Europe. Victims are directed to high-fidelity cloned websites that mimic legitimate booking services, where they encounter fake error messages and BSOD screens designed to prompt them into executing malicious commands.
The campaign employs the "ClickFix" technique, which manipulates users into manually running PowerShell or shell commands under the guise of resolving system errors. This process ultimately results in the installation of the DCRat malware, a remote access trojan capable of keylogging and other malicious activities. Technical indicators, including Russian-language debug strings and infrastructure geolocated to Russia, suggest a strong Russian connection. The campaign demonstrates a blend of social engineering and technical deception, exploiting human problem-solving instincts to compromise systems within the hospitality sector during its busiest season.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
4 events from the most recent confirmed update back to the earliest known activity.
Securonix publicly discloses PHALT#BLYX campaign details
By January 2026, Securonix publicly reported the campaign's full attack chain, including fake Booking.com emails, fake CAPTCHA and BSOD pages, malicious PowerShell, MSBuild abuse, Defender tampering, persistence, and DCRat deployment. The disclosure also included defensive guidance and indicators for detecting suspicious MSBuild.exe and related activity.
Securonix first observes and tracks the activity as PHALT#BLYX
Securonix researchers first observed the campaign in December 2025 and identified it as PHALT#BLYX. Their analysis linked the activity to suspected Russian-speaking actors based on Russian-language artifacts, infrastructure clues, and the use of DCRat, a malware family common on Russian underground forums.
Attackers shift from HTA delivery to MSBuild-based execution
During the campaign, the infection chain evolved from simpler HTA-based methods to stealthier MSBuild.exe-driven execution using obfuscated project files and other living-off-the-land techniques. This change improved evasion and made detection harder while helping deploy DCRat and maintain persistence.
PHALT#BLYX campaign targets European hospitality sector
In late December 2025, attackers began a phishing campaign against European hotels and hospitality organizations using Booking.com-themed reservation cancellation lures. The operation used fake websites, bogus BSOD prompts, and ClickFix-style instructions to trick staff into executing malicious PowerShell that led to DCRat infection.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
11 references tracked. Mallory keeps watching after this page renders.
Watch out for this fake Windows BSOD - it's actually malware
zdnet.com
Open sourceThe ClickFix Trap: PHALT#BLYX Targets Hotels with Fake Blue Screens and DCRat
securityonline.info
Open sourceFake Booking.com emails and BSODs used to infect hospitality staff
helpnetsecurity.com
Open sourceFake Booking.com lures and BSoD scams spread DCRat in European hospitality sector
securityaffairs.com
Open sourceFake Booking Emails Redirect Hotel Staff to Fake BSoD Pages Delivering DCRat
thehackernews.com
Open sourceNew ClickFix Attack Uses Fake Windows BSOD Screens to Trick Users into Executing Malicious Code
cybersecuritynews.com
Open sourceRussian hackers target European hospitality industry with ‘blue screen of death’ malware
therecord.media
Open sourceClickFix attack uses fake Windows BSOD screens to push malware
bleepingcomputer.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Booking.com ClickFix Phishing Campaign Delivers NetSupport RAT and zgRAT
Attackers are impersonating **Booking.com** pages in an ongoing **ClickFix** phishing campaign targeting the hospitality sector, tricking users into opening the Windows Run dialog and pasting attacker-supplied PowerShell that installs remote-access malware. Recent waves used Booking.com-branded lures such as `secure-extranet[.]com`, redirectors including `jskeowgo[.]com`, and additional phishing subdomains aimed at hotel staff, with some activity specifically targeting Italian-speaking users. Researchers observed multiple payload paths: one chain deployed **NetSupport RAT** through a large PowerShell stage that unpacked 14 base64-encoded components and then opened the legitimate Booking.com site to preserve the pretext, while another used staged loaders, ZIP delivery, and DLL sideloading via a legitimate `psl.exe` binary to install **zgRAT** and **PureHVNC**. The malware provided full remote-control capability, including shell access, file transfer, keylogging, screen capture, and webcam or audio access, and established persistence through mechanisms such as Startup-folder shortcuts and `HKCU\Run` keys like `SystemUpdate_<VID>`. Infrastructure linked to the activity included freshly registered domains obtained in batches through Chinese and Hong Kong registrars, rotating download servers, telemetry endpoints that tracked installation progress per victim, and command-and-control systems hosted across providers in Frankfurt, Russia-linked environments, and a likely bulletproof-hosting setup tied to a newly created autonomous system. Investigators also found OPSEC clues including an exposed RDP certificate leaking the hostname `WIN-FLJTJKL01VM`, a PDB path referencing `C:\Users\Administrator\Desktop\HTCTL32\`, and malware signed with a stolen `*.dodo.com` wildcard certificate, supporting clustering of the campaign as a financially motivated cybercrime operation using commodity RAT tooling.
May 25, 2026
PureRAT Malware Campaign Targets Hotels and Guests via ClickFix Phishing
A sophisticated cybercrime operation has targeted the hospitality sector by compromising hotel systems through phishing emails that impersonate Booking.com communications. Attackers use the ClickFix social engineering technique to trick hotel staff into clicking malicious links or copying and pasting PowerShell commands, which results in the installation of PureRAT malware. Once installed, PureRAT provides attackers with full remote access to hotel systems, enabling them to steal professional login credentials for booking platforms and access sensitive guest reservation data. The campaign, active since April 2025, leverages both direct email phishing and drive-by downloads to infect hotel staff, with compromised hotel account access often sold on underground forums. With access to genuine hotel Booking.com accounts, the attackers launch highly convincing phishing attacks against travelers, using stolen reservation and contact details to increase the credibility of their messages. Victims are contacted via WhatsApp or email and directed to spoofed Booking.com pages designed to harvest banking information. The PureRAT malware, delivered via a previously unobserved loader variant using DLL sideloading and persistence mechanisms like the Run registry key, enables a wide range of malicious activities, including keylogging, webcam and microphone capture, and data exfiltration. Security researchers have highlighted the organized nature of the operation and the use of malware-as-a-service infrastructure, underscoring the ongoing threat to both hotels and their guests.
Mar 21, 2026
Phishing Campaigns Abuse Trusted Platforms and Tools to Deliver Remote Access Malware
Multiple reports describe **phishing-led malware delivery** that abuses trusted services and “living off the land” execution paths to evade controls and deploy remote access tooling. Cloudflare-tracked activity shows attackers using **Vercel-hosted** pages to lend legitimacy to malicious links and bypass email/security filtering, with lures themed around invoices, payments, shipping, and document portals; the infrastructure includes **Telegram-based filtering** and browser fingerprinting/conditional delivery to hinder researchers and sandboxes before serving payloads that install a **remote access tool (RAT)**. A separate campaign (tracked as **PHALT#BLYX**) targets hospitality staff with Booking[.]com-style reservation emails and uses a **fake browser error + fake BSOD** to coerce victims into running the **ClickFix** technique (Win+R paste/execute), launching PowerShell that pulls malicious project files and executes them via **`MSBuild.exe`** to deliver **DCRat**, consistent with **LOLBins**-based evasion; researchers noted Russian-language artifacts in the malware. Broader weekly/newsletter roundups also highlight the same risk theme—attackers increasingly blend social engineering with trusted infrastructure and tools—while mixing in unrelated items (e.g., firewall CVEs, general malware research links) that are not part of a single, specific incident narrative.
Apr 15, 2026