I want to draw attention to a new malware campaign security researchers are tracking under the name PHALT#BLYX, which is actively targeting organizations in the European hospitality sector.
According to findings from Securonix, the campaign relies on ClickFix-style social engineering and fake system error messages to trick victims into infecting their own systems. The activity was first observed in late December 2025, and its end goal is to deploy a remote access trojan known as DCRat.
The attack typically starts with a phishing email that impersonates Booking.com. The message claims that a hotel reservation has been unexpectedly canceled and urges the recipient to click a link to confirm the cancellation. That link leads to a fake website designed to look like Booking.com.
Once on the site, the victim is shown a fake CAPTCHA page, which quickly transitions into a bogus blue screen of death error. The page then provides “recovery instructions,” telling the user to open the Windows Run dialog, paste in a command, and press Enter. What the victim doesn’t realize is that this action launches a malicious PowerShell command.
Behind the scenes, the PowerShell script downloads an MSBuild project file called v.proj from a remote server and executes it using the trusted Windows binary MSBuild.exe. This step allows the attackers to quietly bypass defenses and run their payload without raising immediate suspicion.
From there, the malware configures exclusions in Microsoft Defender to avoid detection, establishes persistence by adding itself to the system’s Startup folder, and finally downloads and launches DCRat from the same infrastructure. If the malware is running with administrator privileges, it can even disable security protections entirely. Without elevated rights, it repeatedly triggers User Account Control prompts in an attempt to wear the victim down into approving access.
As a distraction, the PowerShell script also opens the real Booking.com admin page in the user’s browser, making the activity appear legitimate and reducing the chance that the victim realizes something has gone wrong.
DCRat, also known as Dark Crystal RAT, is a widely used .NET-based trojan that supports a plugin-driven design. Once active, it can collect system information, log keystrokes, execute commands, and download additional payloads such as cryptocurrency miners, all while communicating with a remote command server.
This campaign highlights how attackers continue to rely on living-off-the-land techniques, abusing trusted Windows components like MSBuild.exe to blend in with normal system activity and maintain long-term access.
Securonix noted that the phishing emails include pricing details in euros, strongly suggesting a focus on European targets. Researchers also found Russian-language strings inside the MSBuild project file, linking the activity to threat actors known to rely on DCRat in past campaigns.
Overall, PHALT#BLYX is a clear reminder that polished phishing emails and fake system errors remain highly effective tools, especially when paired with legitimate Windows utilities and aggressive security evasion techniques.