Threat actors are targeting the hospitality sector in Europe by using ClickFix social engineering, fake CAPTCHA, and fake "blue screen of death" (BSOD) pages to trick users into injecting malicious code.In a Jan. 5 blog post, Securonix researchers said that attackers have leveraged Booking.com, a theme that has been abused in the past and remains a persistent threat.According to the researchers, the campaign — dubbed "PHALT#BLYX" — starts with a Booking.com lure delivered via phishing emails that contain links to a fake Booking.com website.The researchers said the website holds a fake captcha, that leads to a fake BSOD page. It’s actually a ClicFix trick that executes a PowerShell command to download a proj file. This then leverages a trusted MSBuid.exe tool to bypass defenses and deploys a stealthy, Russian-linked DCRat payload for full remote access, as well as the ability to drop secondary payloads.These phishing emails notably feature room charge details in euros, the researchers said, suggesting the campaign is actively targeting European organizations. The use of the Russian language within the “v.project” MS build file potentially links this activity to Russian threat actors using DCRat.
Deception via brand trust, social engineering
Kern Smith, senior vice president of global solutions engineering at Zimperium, explained that these type of campaigns highlight how attackers increasingly rely on social engineering and trusted brand impersonation to bypass traditional controls and that these tactics don’t stop at desktops.Smith said his team routinely sees the same lures adapted for mobile delivery, in which phishing links, fake CAPTCHAs, and malicious redirects are even harder for users to detect. As attackers refine these deception-based techniques, Smith said organizations should assume global spread is inevitable and focus on protecting the device itself. Attackers use techniques like ClickFix and fake system errors because they exploit human behavior and the gaps created as work increasingly happens on mobile devices, Smith continued.“A mobile-first attack strategy lets threat actors bypass traditional perimeter, email, and network defenses by pushing users to interact directly with malicious content on their phones, where visibility and enforcement are often weaker,” said Smith. “By combining trusted brand lures, browser-based deception, and post-click execution, attackers can scale these campaigns globally with a higher success rate and lower risk of detection.”Christopher Jess, senior R&D manager at Black Duck, said this PHALT#BLYX activity shows how attackers don't require a vulnerability for exploitation. By combining a Booking.com cancellation lure with a bogus CAPTCHA and a panic-inducing BSOD, the campaign uses the ClickFix pattern to coax a user into running PowerShell themselves, then leans on built in tools by abusing trusted Windows tooling like MSBuild.exe to compile and run the next stage.“That blend of social engineering, plus using legitimate binaries is specifically designed to slip past conventional controls that are tuned for clearly malicious executables,” said Jess. “Organizations should assume this technique will spread. ClickFix has already shown broad adoption across threat actors, lures, and geographies because it's low cost to retheme and it relies on user execution rather than a single vulnerable product. What looks like a hospitality problem today can become shipping, HR, or finance tomorrow with the same playbook.”Jess offers some tips on how security pros can mitigate these type of attacks:- Train everyone not to run commands just because a web page or verification screen says so.
- Remind everyone to only check reservations or refunds through the real booking portal or by calling a trusted number.
- Lock everything down further by only allowing developer tools (like MSBuild) on systems that need them, cut back on local admin rights, ensure strong logging, and use tooling to block risky scripts and suspicious process chains (like a browser suddenly launching PowerShell and then MSBuild).
- Treat RAT deployment as an incident with follow-on risk. These tools usually mean someone's poking around, stealing credentials, or setting up more attacks.
- Look for signs like unexpected Defender settings, persistence via Startup folder entries, anomalous MSBuild activity, or unexpected outbound traffic.
- Move fast to quarantine infected machines and reset credentials.
