According to Infosecurity Magazine, a new multi-stage malware campaign tracked as PHALT#BLYX is actively targeting hospitality organizations during the peak holiday season. The attack starts with phishing emails impersonating Booking.com, which highlight fake reservation cancellations with charges often exceeding €1000 to create urgency. Victims are lured to a cloned Booking.com site, which then uses social engineering like fake CAPTCHA prompts and simulated Blue Screen of Death errors. The final payload is a heavily obfuscated variant of DCRat, a remote access Trojan sold on Russian-language forums that enables keylogging and further malware deployment. Securonix researchers linked the activity to Russian-speaking threat actors based on Cyrillic debug strings and the malware’s origin.
How the scam works
Here’s the thing: this isn’t your average phishing link that downloads a sketchy .exe. The social engineering is way more hands-on. After clicking the link, the victim sees what looks like a system crash or a CAPTCHA check. The instructions literally tell them to copy a PowerShell command from their clipboard and paste it into the Windows Run dialog. And they do it! That command kicks off the real magic, which is a classic living-off-the-land technique. Instead of a blatant malware file, it uses MSBuild.exe—a totally legitimate Microsoft tool for compiling code—to build and execute a malicious project file. So from the endpoint’s perspective, it’s just a trusted Microsoft process doing its job. Pretty clever, and really hard for traditional antivirus to flag.
Why this is a big deal
This represents a clear evolution. Earlier versions of this attack used clunkier methods involving HTML applications. Now, by abusing MSBuild, the attackers are flying under the radar. They’re also thinking about persistence and evasion in sneaky ways. For instance, they add Windows Defender exclusions for common file types right off the bat. And they establish persistence using Internet Shortcut files in the startup folder, which is less common than messing with the registry. It shows a level of sophistication that’s worrying. They’re not just spraying and praying; they’re targeting a specific sector—European hospitality—at its most vulnerable, cash-flush time of year. The use of DCRat is another tell. It’s a cheap, commodity malware popular in Russian cybercrime circles, which suggests this might be a financially motivated crew rather than state-sponsored. But does that make it less dangerous? Not really.
What can be done
So what’s the defense? User education is part of it, obviously. Telling staff not to run random commands from a website is security 101. But the researchers rightly point out that’s not enough anymore. When attackers use trusted system tools, you need better behavioral detection. You have to monitor for anomalies, like MSBuild.exe making weird network connections or writing files to startup locations. It’s about process-level visibility. The old model of just blocking known-bad files is completely broken for this kind of attack. Organizations need to assume that a determined attacker will get a user to click, and then have systems in place to catch the unusual behavior that follows. It’s a tougher way to do security, but it’s basically mandatory now.
