Russia-linked hackers fake Windows BSODs to trick European hotel staff

TL;DR

Security researchers say a campaign of phishing emails impersonating Booking.com is using fake Windows blue screens to coerce hospitality staff into running malicious PowerShell commands. The attack chain installs a remote-access trojan and employs MSBuild-based techniques that can evade conventional antivirus detection.

What happened

Researchers at Securonix have been tracking an infection campaign called PHALT#BLYX that targets hotels and other hospitality businesses in Europe. The attack begins with emails purporting to be from Booking.com, usually flagging a large euro-denominated charge. A 'See details' link leads to a realistic-looking booking page, then to a staged verification screen and a full-screen fake Windows Blue Screen of Death. The scare tactic prompts staff to follow on-screen instructions that include pasting and executing a PowerShell command — a social-engineering variant of the ClickFix approach. Because victims run the command themselves, the activity avoids many automated defenses. The script downloads additional components and leverages a legitimate Windows element to launch the attackers' code via an MSBuild execution path. Securonix says this culminates in the installation of a remote access trojan allowing persistent access and the potential delivery of further malware.

Why it matters

• Social-engineering through fabricated system crashes can trick staff into bypassing technical protections and running malware manually.
• The campaign focuses on hospitality organizations during a busy season and uses euro-denominated lures, suggesting European targeting.
• Attackers moved from simpler HTML Application techniques to MSBuild-based execution, complicating detection by antivirus and endpoint tools.
• Successful installs yield persistent remote access, enabling ongoing surveillance and follow-on payload delivery across compromised machines.

Key facts

• Securonix tracked the campaign and assigned it the name PHALT#BLYX.
• Phishing messages impersonate Booking.com and reference large charges in euros.
• Victims are shown a fake verification page that quickly displays a simulated Windows BSOD to induce panic.
• The attack relies on victims manually pasting and executing a PowerShell command — a ClickFix-style social-engineering technique.
• Downloaded components use a legitimate Windows component and an MSBuild-based execution chain to run malicious code.
• The final payload observed is a remote access trojan (linked to the DCRat family in the report).
• Researchers note Russian-language artifacts in MSBuild project files and that the DCRat family is commonly traded on Russian underground forums, strengthening suspicions of Russia-linked actors.
• The operators have evolved their methods over months, shifting away from earlier HTML Application techniques to more stealthy MSBuild approaches.

What to watch next

• Increased use of MSBuild-based execution and copy-paste PowerShell prompts as indicators of malicious activity.
• Whether similar lures and tactics begin appearing outside the hospitality sector or beyond Europe — not confirmed in the source.
• Any official advisories from Booking.com or industry bodies aimed at hotels about these impersonation emails — not confirmed in the source.

Quick glossary

• Blue Screen of Death (BSOD): A full-screen Windows error display that appears after a critical system failure; attackers can imitate it to alarm users.
• PowerShell: A Windows command-line shell and scripting language commonly used for system administration and, sometimes, abused by attackers to run commands and download malware.
• MSBuild: A Microsoft build platform that can compile and run project files; attackers may abuse it to execute code in ways that blend with normal system activity.
• Remote Access Trojan (RAT): Malware that gives an attacker ongoing remote control over an infected device, often used for spying or delivering additional payloads.
• Phishing: A social-engineering technique where attackers send deceptive messages to trick recipients into revealing information or executing actions that compromise security.

Reader FAQ

How did the attackers get initial access?
They used phishing emails impersonating Booking.com that lead staff to a staged page and a fake BSOD, prompting users to paste and run a PowerShell command.

Is Booking.com compromised?
Not confirmed in the source.

Who is behind the campaign?
Securonix reports Russian-language artifacts and notes the DCRat family is commonly traded on Russian forums, which they say strengthens suspicions of Russia-linked actors.

Are customers staying at affected hotels at risk?
Not confirmed in the source.

RESEARCH Fake Windows BSODs check in at Europe's hotels to con staff into running malware Phishers posing as Booking.com use panic-inducing blue screens to bypass security controls Carly Page Tue 6 Jan 2026…

Sources

• Fake Windows BSODs check in at Europe's hotels to con staff into running malware
• Fake Booking Emails Redirect Hotel Staff to Fake BSoD …
• Hotel staff tricked into installing malware by bogus BSODs
• Thousands of fake travel sites used in ongoing Russian …

Related posts

• Portland enacts phased ban on gas-powered leaf blowers beginning Jan. 1
• Congress reverses most proposed NASA science cuts, leaves Shuttle plan unresolved
• Ledger confirms customer data accessed in Global-e e-commerce breach