When BSOD is not a bug, but a feature. Cybercriminals have learned to professionally mimic a broken Windows system
Scammers have found a way to turn an ordinary click on an email into full remote access to a computer.
Scammers have found a way to turn an ordinary click on an email into full remote access to a computer.
A message about a booking cancellation on Booking.com with a substantial deduction amount looks like routine work for hotels and apartments. But it is precisely such an email that marks the beginning of a new malware campaign, which Securonix specialists are tracking under the name PHALT#BLYX. It clearly demonstrates how modern attacks increasingly rely not on vulnerabilities, but on user psychology and trust in standard Windows tools.
The attack targets the hotel business and was actively used during the peak holiday season. Victims receive phishing emails about a supposed booking cancellation with payment details in euros. This creates a sense of urgency and compels the recipient to click the link as quickly as possible. Instead of the real Booking.com website, the user lands on a high-quality fake, almost indistinguishable from the original in appearance. Logos, fonts, and colors look convincing, so they don't raise suspicion.
On the fake page, the victim is shown a message about an alleged loading error and prompted to refresh the page. After clicking, the browser expands to full screen and mimics a Windows Blue Screen of Death (BSOD). In a state of stress, the user is offered a simple way to fix everything. They need to open the Run dialog, paste an already copied command, and press Enter. In reality, a malicious PowerShell script has been placed in the clipboard beforehand. Thus, the person initiates the infection themselves, bypassing many automated protection mechanisms.
The attack then develops in several stages. The PowerShell script downloads a special project file for MSBuild and launches it using Microsoft's standard build tool. This is one of the key moments of the entire chain. Using a trusted system binary allows the attack to appear legitimate and often bypass antivirus software and application control policies. As a diversion, the legitimate Booking.com management website opens in the browser at the same time to prevent the victim from suspecting anything.
The downloaded MSBuild project contains embedded code that first weakens the system's defenses. In particular, it adds exclusions to Windows Defender for important directories and file types, and if administrator rights are present, it completely disables real-time protection. This paves the way for downloading the main malicious component. If administrator rights are not available, the malware persistently shows User Account Control (UAC) prompts, banking on the user agreeing just to make the pop-ups disappear.
The final payload is a modified DCRat, a well-known Remote Access Trojan (RAT) closely associated with the Russian-speaking cybercriminal underground. It establishes persistent access to the system, injects itself into legitimate Windows processes, captures keystrokes, gathers system information, and can download additional modules, including miners and other malware. To maintain persistence, an unusual technique is used involving .url shortcut files in the startup folder, which point to a local executable file.
Researchers also noted traces of the Russian language in service strings and debug messages within the malicious code. The phrasing appears natural and grammatically correct, indicating development by native speakers or the use of ready-made toolkits from Russian-language underground forums. This aligns well with the choice of DCRat, which has long been popular in this specific segment.
The PHALT#BLYX campaign demonstrates how dangerous the combination of social engineering and so-called Living off the Land (LotL) techniques can be, where standard features of the operating system itself are used for the attack. In such scenarios, traditional signature-based protection often lags, and user behavior becomes the key factor. Experts advise paying special attention to employee training, being wary of urgent financial emails, and carefully monitoring unusual activity of system utilities like MSBuild. It is precisely in such details that the beginning of a serious incident is increasingly hidden today.
