Unveiling PHALT#BLYX: A Deep Dive into the Cyberattack Targeting European Hospitality Organizations

Read Unveiling PHALT#BLYX: A Deep Dive into the Cyberattack Targeting European Hospitality Organizations on RadioNOVO

Unveiling PHALT#BLYX: A Deep Dive into the Cyberattack Targeting European Hospitality Organizations

A recent cyberattack campaign called PHALT#BLYX targeted European hospitality organizations in late December 2025, aiming to distribute the DCRat remote access trojan. The attackers used deceptive ClickFix-style pages displaying a fake blue screen of death to deceive victims into running malicious commands. The initial access was gained through a fake Booking.com reservation cancellation lure, prompting victims to execute harmful PowerShell commands that fetch and execute remote code.

The phishing email impersonating Booking.com warned recipients of a reservation cancellation and directed them to a fraudulent website. Upon visiting the site, users encountered a CAPTCHA followed by a fake BSoD page with instructions for "recovery," instructing them to run a specific command in the Run dialog. This command initiated a PowerShell dropper that downloaded and executed a custom MSBuild project file named "v.proj" from 2fa-bns[.]com. The payload of the file adjusted Microsoft Defender Antivirus exclusions, established persistence in the Startup folder, and downloaded and launched the DCRat malware.

DCRat, a .NET RAT, possesses capabilities such as system profiling, keystroke logging, command execution, and plugin loading, including cryptocurrency miners. The phishing emails contained room charge details in Euros, indicating a focus on European targets. The attackers' use of a customized MSBuild project file for execution and manipulation of Windows Defender exclusions showcased a sophisticated understanding of modern endpoint protection mechanisms.

The campaign's tactics highlight the evolving threat landscape faced by organizations, emphasizing the importance of robust cybersecurity measures to defend against such sophisticated attacks. Stay informed about the latest cybersecurity developments by following BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for real-time updates.