📅 January 5, 2026 | ⏱ 7 min read | 🔐 Category: Social Engineering
A new social engineering campaign is abusing fake Windows Blue Screen of Death screens to trick hotel staff into running malicious commands on their computers. Researchers at Securonix first observed this campaign in December, tracking it as PHALT#BLYX. It targets hospitality operators across Europe, using phishing emails that impersonate Booking.com to lure victims into executing malware.
ClickFix is a social engineering technique that weaponizes the human instinct to fix broken systems. Attackers create fake error pages—mimicking Windows crashes, security warnings, or software updates—that instruct visitors to run a command to resolve the issue. Victims unknowingly execute malicious PowerShell or shell commands that infect their machines. What makes ClickFix effective is its simplicity: it bypasses the need for exploits and relies instead on user compliance.
How the campaign unfolds
The attack chain begins with a phishing email impersonating a guest cancellation from Booking.com. The message references a sizable refund, creating urgency that makes the recipient less cautious. Clicking the link takes the victim to a near-perfect clone of the Booking.com portal hosted on a lookalike domain such as low-house[.]com. The site uses authentic branding, colors, logos, and fonts—so convincing that untrained eyes cannot distinguish it from the real portal.
Once the page loads, JavaScript silently stages the next step. When the victim sees a “Loading is taking too long” message and clicks to refresh, the browser suddenly enters full-screen mode and displays a counterfeit Windows BSOD. On-screen instructions tell the user to open the Windows Run dialog and press CTRL+V to paste a pre-loaded command, then hit Enter to execute it.
Real Windows crash screens don’t work this way. They appear only when the operating system fails completely—meaning Windows is not running normally and cannot display interactive instructions. This is a critical telltale sign, but staff under pressure to resolve a customer dispute may not notice the inconsistency.
When the user executes the pasted command, a PowerShell script launches a decoy Booking.com admin page to occupy their attention. Meanwhile, behind the scenes, the script downloads a .NET project and compiles it using MSBuild.exe, a legitimate Windows developer tool already present on the system. This approach—abusing trusted tools already installed—helps avoid detection.
The compiled payload escalates privileges by triggering User Account Control prompts and adding Windows Defender exclusions so the malware can run undetected. It then uses Background Intelligent Transfer Service (a Windows system for downloading updates) to fetch a primary loader from a remote server. Finally, it establishes persistence by dropping a shortcut file into the Startup folder, ensuring the malware relaunches each time the computer boots.
The final payload is a variant of DCRat, a remote access trojan. Once running, it hides inside a legitimate process called aspnet_compiler.exe using a technique called process hollowing, making it invisible to basic security tools. The malware contacts a command-and-control server, sends a detailed fingerprint of the infected system, and awaits instructions.
From there, threat actors gain remote desktop-like access to the compromised machine. They can log keystrokes, execute shell commands, and deploy additional malware directly into memory. In the case observed by Securonix, operators installed a cryptocurrency miner. With a foothold on a front-desk workstation, attackers can move laterally into back-office systems, steal guest reservations and payment information, or compromise property management and point-of-sale networks.
Hospitality staff handle cancellations, refunds, and urgent guest issues daily, so incoming messages about these topics feel routine and legitimate. When a system appears broken, workers feel social pressure to fix it quickly—especially if a guest or manager is waiting. That sense of urgency overrides caution. The attack leverages a trusted brand and mimics familiar interfaces, collapsing the defenses that might otherwise catch a phishing attempt.
Security teams should monitor for patterns that indicate a PHALT#BLYX-style attack. Watch for PowerShell launching MSBuild.exe shortly after a browser session, particularly if network activity follows. Flag any modifications to Windows Defender exclusions, unexpected privilege escalation attempts from user workstations, and Background Intelligent Transfer Service jobs fetching files from unfamiliar domains. New shortcut files created in the Startup folder and unusual executions of aspnet_compiler.exe outside of development environments are also red flags. Pay particular attention to outbound connections from recently spawned processes that occur shortly after a full-screen browser event.
Restrict developer tools on user endpoints by using AppLocker or Windows Defender Application Control to block MSBuild.exe, csc.exe, and similar binaries from standard user machines. Constrain PowerShell on front-of-house systems by enforcing Constrained Language Mode, enabling detailed logging, and alerting on commands sourced from the clipboard or encoded text.
Lock down Background Intelligent Transfer Service by auditing and restricting which processes can create BITS jobs, and monitor for transfers to external domains. Require standard user accounts for front-desk workstations and deploy just-in-time privilege elevation for rare administrative tasks that require admin rights. This prevents malware from running with full system privileges.
On shared kiosks used to access booking systems, use hardened browser profiles that disable full-screen APIs, deploy DNS filtering to block access to malicious domains, and maintain strict allowlists for approved channel manager portals. Strengthen email defenses by enforcing DMARC, DKIM, and SPF authentication, clearly marking external mail, and routing refund or cancellation requests through ticketing systems that automatically strip links and attachments. Train staff to verify any disputes only within official portals they open themselves.
PHALT#BLYX demonstrates how effective social engineering can be when it aligns with real workflows and leverages trusted brands. The attackers don’t need to discover a software vulnerability if they can convince a busy staff member to paste a command. Combining straightforward user awareness—never execute instructions from a website—with technical controls that block PowerShell abuse, misuse of developer tools, and suspicious file transfers will break this attack chain. As threat actors refine this playbook for other travel and service industries, organizations that prepare their teams and systems now will have a significant advantage.
