PHALT#BLYX is a sophisticated phishing campaign targeting the European hospitality industry, leveraging social engineering and living-off-the-land (LotL) techniques to deliver the DCRat remote access trojan (RAT). The attack begins with phishing emails impersonating Booking.com, warning hotel staff of unexpected reservation cancellations and urging them to click a link. This link leads to a fake Booking.com website that presents a CAPTCHA page followed by a counterfeit Blue Screen of Death (BSoD) error screen with recovery instructions. These instructions trick victims into opening the Windows Run dialog and executing a PowerShell command. This command silently downloads an MSBuild project file (v.proj) from a malicious server and executes it using MSBuild.exe, a trusted Microsoft binary, to run embedded payloads. The payload configures Microsoft Defender Antivirus exclusions to evade detection, establishes persistence by placing files in the Startup folder, and downloads and launches the DCRat malware. DCRat is a modular .NET RAT capable of profiling infected hosts, logging keystrokes, executing arbitrary commands, and delivering additional payloads such as cryptocurrency miners. If running with administrator privileges, it disables Defender entirely; otherwise, it triggers repeated User Account Control (UAC) prompts to escalate privileges. The attack also opens the legitimate Booking.com admin page in the victim’s browser to distract and reassure the user. The campaign’s use of Euro-denominated booking details indicates a focus on European targets, while the Russian language in the MSBuild project file suggests attribution to Russian-speaking threat actors. This multi-stage attack chain demonstrates advanced evasion and persistence techniques, combining social engineering with abuse of trusted system tools to maintain a foothold in compromised environments.

For European organizations, particularly in the hospitality sector, this campaign poses significant risks including unauthorized remote access, data exfiltration, credential theft, and potential lateral movement within networks. The deployment of DCRat enables attackers to harvest sensitive information, execute arbitrary commands, and deploy additional malicious payloads such as cryptocurrency miners, which can degrade system performance and increase operational costs. The use of living-off-the-land techniques and Defender exclusion tampering complicates detection and response efforts, increasing dwell time and potential damage. Given the targeting of hotel staff, attackers may gain access to reservation systems, customer data, and internal communications, potentially leading to reputational damage, regulatory penalties under GDPR, and financial losses. The repeated UAC prompt tactic may also lead to inadvertent privilege escalation, further compromising system integrity. Overall, the campaign threatens confidentiality, integrity, and availability of critical hospitality IT infrastructure across Europe.

European hospitality organizations should implement targeted phishing awareness training emphasizing the risks of fake booking cancellation emails and suspicious links. Deploy advanced email filtering solutions capable of detecting and blocking phishing URLs and malicious attachments. Enforce application whitelisting and restrict execution of PowerShell scripts and MSBuild.exe to trusted administrators only, using AppLocker or Windows Defender Application Control. Regularly audit and harden Microsoft Defender Antivirus settings to prevent unauthorized exclusion modifications, and monitor for unusual Defender configuration changes. Implement endpoint detection and response (EDR) solutions with behavioral analytics to identify living-off-the-land techniques and anomalous process executions such as MSBuild.exe running unexpected projects. Enforce least privilege principles to limit user rights and reduce the impact of UAC prompt abuse. Maintain up-to-date backups and incident response plans tailored to ransomware and RAT infections. Network segmentation should isolate critical systems to limit lateral movement. Finally, monitor network traffic for connections to known malicious domains like "2fa-bns[.]com" and block them at the perimeter.