Ethical Hacking News
A recent phishing campaign has been uncovered by cybersecurity researchers at Securonix, which used sophisticated tactics to trick victims into delivering a malicious .NET Trojan known as Dark Crystal RAT (DCRat). The attack targeted European hospitality organizations and was disguised as legitimate emails from Booking.com. This article provides an in-depth look at the attack vector used and offers tips on how individuals can protect themselves against similar threats.
Threat actors use sophisticated phishing campaign impersonating Booking.com to trick victims into downloading malicious PowerShell commands. The initial step involves a phishing email with a link to a fake website, warning of an unexpected reservation cancellation. Victims are redirected to a bogus BSoD page and prompted to open the Windows Run dialog to execute a PowerShell command that deploys DCRat, an off-the-shell .NET Trojan. The attackers use "ClickFix-style lures" technique and leverage living-off-the-land (LotL) techniques to bypass security measures. The campaign targets European organizations and features room charge details in Euros.
Threat actors have been found to be utilizing a sophisticated phishing campaign, masquerading as legitimate emails from Booking.com, in order to trick victims into downloading and executing malicious PowerShell commands that ultimately deliver the Dark Crystal RAT (DCRat) Trojan.
According to cybersecurity researchers at Securonix, the initial step of the attack chain involves a phishing email impersonating Booking.com. This email contains a link to a fake website, purportedly from "low-house[.]com", which warns recipients of an unexpected reservation cancellation and urges them to click on the link to confirm the cancellation.
Upon clicking the link, the victim is redirected to a bogus BSoD page with recovery instructions, claiming that their computer needs to be restarted in order to fix the issue. However, instead of executing these "recovery instructions", the user is prompted to open the Windows Run dialog and paste a command, followed by pressing the Enter key.
This results in the execution of a PowerShell command that ultimately deploys DCRat, an off-the-shell .NET Trojan that can harvest sensitive information and expand its functionality through a plugin-based architecture. The malware can connect to an external server, profile the infected system, and await incoming commands from the server, allowing attackers to log keystrokes, run arbitrary commands, and deliver additional payloads like a cryptocurrency miner.
In order to achieve this level of sophistication, threat actors have been utilizing the "ClickFix-style lures" technique. This involves displaying fixes for fake blue screen of death (BSoD) errors in attacks targeting the European hospitality sector.
Furthermore, it is worth noting that the attackers are leveraging living-off-the-land (LotL) techniques, such as abusing trusted system binaries like "MSBuild.exe", to move the attack to the next stage, establish a deeper foothold, and maintain persistence within compromised hosts.
The campaign is also notable for its use of a customized MSBuild project file to proxy execution. This technique demonstrates a deep understanding of modern endpoint protection mechanisms, allowing attackers to bypass security measures more effectively.
According to the researchers at Securonix, "the phishing emails notably feature room charge details in Euros, suggesting the campaign is actively targeting European organizations." The use of Russian language within the 'v.proj' MSBuild file links this activity to Russian threat factors using DCRat.
In conclusion, this highly sophisticated phishing campaign serves as a reminder for hotel staff and other individuals handling sensitive information to remain vigilant against such threats. The attack vector used by attackers is not only convincing but also shows an understanding of modern endpoint protection mechanisms.
In order to prevent falling victim to attacks like the one described above, it's essential to follow proper security protocols and best practices when dealing with emails from unknown sources. This includes verifying the sender's identity and never clicking on links or downloading attachments from suspicious messages. By staying informed and taking proactive steps, individuals can protect themselves against such threats.
Related Information:
https://www.ethicalhackingnews.com/articles/A-Sophisticated-Phishing-Campaign-Reduces-to-a-Malicious-NET-Trojan-A-Cautionary-Tale-for-Hotel-Staff-ehn.shtml
https://thehackernews.com/2026/01/fake-booking-emails-redirect-hotel.html
Published: Tue Jan 6 06:40:51 2026 by llama3.2 3B Q4_K_M
