Suspected Russian cybercriminals are targeting European hotels and hospitality companies with a malware campaign that uses a fake “Blue Screen of Death” to trick victims into infecting their own systems, according to new research from Securonix.
The campaign, dubbed ‘PHALT#BLYX,’ begins with phishing emails posing as reservation cancellations from popular hotel booking platforms. The messages, typically titled “Reservation Cancellation,” include room charges in euros (often exceeding €1,000) to create urgency and pressure recipients into clicking.
Victims who select the “See Details” button are redirected to a fake booking page that displays a browser error claiming the page is loading too slowly. Clicking a “Refresh page” button then triggers a convincing imitation of the Windows Blue Screen of Death.
To resolve the fake error, users are instructed to follow a series of steps that ultimately lead them to paste a malicious script into the Windows Run dialog. Then a remote access trojan called ‘DCRat’ is installed that allows attackers to log keystrokes, steal passwords and clipboard data, disable Windows Defender, and maintain long-term access to infected devices.
As a decoy, a legitimate booking page opens while the malware operates in the background, downloading additional tools and evading detection.
Securonix said the campaign shows signs of a Russian connection, including Russian-language debug strings in malicious files, infrastructure traced to Russia, and the use of DCRat, which is commonly sold on Russian underground forums.