“Blue Screen, Red Flag”: Inside the ClickFix RAT Assault on Europe’s Hotels

The hospitality sector across Europe faces a new breed of cyber threat as attackers deploy psychological sleight-of-hand and technical wizardry to compromise hotel systems. Under the guise of urgent Booking.com reservation cancellations and eerily convincing browser errors, the so-called ClickFix campaign is luring employees into a digital trap - leaving their networks wide open for remote hijacking.

Securonix researchers have sounded the alarm over a campaign they’ve dubbed PHALT#BLYX, which targets hospitality organizations with an arsenal of deception and advanced malware. The attack begins innocuously enough: an email, seemingly from Booking.com, claims a room reservation has been cancelled, complete with plausible financial details - a charge or refund exceeding €1,000. The message, designed to provoke urgency and concern, includes a link to a supposed customer support portal.

But clicking the link is where the trouble begins. Victims land on a counterfeit website that imitates Booking.com’s branding and presents a fake CAPTCHA. Instead of verifying humanity, this CAPTCHA is a gateway to further manipulation: a fake browser error and a full-screen animation simulating the infamous Windows Blue Screen of Death. The screen urges users to press a specific sequence of keys, unwittingly granting the attackers the foothold they need.

Behind the scenes, this key sequence executes hidden PowerShell commands, downloading a malicious MSBuild project file. The infection chain is both technical and insidious: MSBuild compiles and runs the embedded payload, which disables Windows Defender, ensures persistence, and deploys a customized DCRat (a fork of the notorious AscynRAT) remote access trojan. The malware then attempts to escalate privileges, using User Account Control prompts to trick users into granting administrative access.

What makes ClickFix especially dangerous is its resilience. The RAT’s communications can randomize connection points and even use online services like Pastebin as “dead-drop” relays, making it difficult for defenders to disrupt the botnet by taking down individual servers. This operational sophistication, combined with the campaign’s tailored lures and technical depth, suggests a threat group with significant resources and a keen understanding of both technology and human psychology.

As the hospitality sector gears up for a busy travel season, this ClickFix campaign serves as a stark reminder: the weakest link in cybersecurity is often human trust. With attackers constantly refining their social engineering playbooks and malware arsenals, vigilance and layered defenses are more crucial than ever. For hotel staff and IT teams, the message is clear - behind every blue screen, there may lurk a far more sinister threat.

WIKICROOK

• Phishing: Phishing is a cybercrime where attackers send fake messages to trick users into revealing sensitive data or clicking malicious links.
• Remote Access Trojan (RAT): A Remote Access Trojan (RAT) is malware that lets attackers secretly control a victim’s computer from anywhere, enabling theft and spying.
• PowerShell: PowerShell is a Windows scripting tool used for automation, but attackers often exploit it to perform malicious actions stealthily.
• MSBuild: MSBuild is a Microsoft tool for building software, but attackers can also exploit it to run malware undetected on Windows systems.
• Persistence: Persistence involves techniques used by malware to survive reboots and stay hidden on systems, often by mimicking legitimate processes or updates.