Booking Scam Deploys DCRat in European Hotels

A new phishing campaign targeting European hospitality businesses uses fraudulent reservation emails posing as Booking.com communications. This booking scam deploys DCRat through a multi-stage infection chain that starts with spoofed travel cancellations and leads to full system compromise, researchers at Securonix revealed.

Dubbed PHALT#BLYX, the campaign tricks hotel staff with urgent emails showing fake charges exceeding €1,000. Clicking “See Details” redirects victims through rogue domains, ultimately landing them on a fake Blue Screen of Death (BSoD) page. The page prompts users to initiate a “ClickFix” process that executes hidden PowerShell scripts.

Attackers deliver a payload using a malicious MSBuild project file, which bypasses detection by leveraging trusted Windows tools. The malware, a customized DCRat, enables keylogging, persistence through startup folders, and process hollowing for stealth. Russian-language artifacts suggest the campaign’s origin links to Russian-speaking threat actors.

The booking scam deploys DCRat with increasing sophistication, evading traditional defenses through social engineering and living-off-the-land tactics.

Fake Booking.com lures and BSoD scams spread DCRat in European hospitality sector