Since late 2025, a new attack campaign called PHALT#BLYX has been targeting the hotel and travel industry in Europe on a massive scale. The Airbnb platform is also likely to be affected. Contrary to what one might imagine, it is not a “Windows technical flaw” that is being exploited, but an organized human manipulation called the “Blue Screen of Death” scam.
This type of attack illustrates a major shift: cybercriminals no longer need to “break” your systems; they exploit your teams.
- The fake blue screen (BSOD): how the scam works
- Extent of victims of this scam
- 5 rules to avoid the scam
- Key takeaways
The fake blue screen (BSOD): how the scam works
The campaign targets Windows users. It usually starts with a phishing email that looks like it’s from Booking.com. To make it seem more urgent, these messages say there’s been a booking cancellation or a big payment change, which makes the recipient want to click on it.
Once, you click on the link:
- The victim is redirected to a near-perfect clone of the booking.com website.
- A fake verification step (fake CAPTCHA) is displayed.
- This step leads to a simulated blue screen of death (BSOD) in the browser.
- Under pressure and believing they are solving a critical problem, users are guided to execute a command in the Windows Run box, which actually installs spyware such as AsyncRAT. (See this section).
This scenario exploits fear, apparent urgency, and the authority of a well-known brand to get someone to voluntarily take dangerous action, making the technique extremely effective.
At this stage, no cybercriminal group has been formally identified as being behind this campaign. Analysts are referring to it as an opportunistic cybercrime operation, relying on widely available tools and social engineering techniques that have already been documented.
Extent of victims of this scam
This model is part of a broader movement of cyber threats that is now well known: phishing and social engineering. These remain among the main vectors for major security incidents, sometimes causing financial losses, data theft, or service disruptions.
In the PHALT#BLYX campaign, the European hotel and travel sector was designated as a priority target, with scenarios designed to exploit the stress of busy periods.
At this stage, there are no official figures available to accurately quantify the number of victims of this attack. However, published analyses describe a large-scale phishing campaign specifically targeting the hotel and travel sector in Europe. The lack of public figures is consistent with the nature of these attacks, which exploit legitimate actions and are rarely detected immediately.
Sources :
– Help Net Security
– Microsoft Security Blog
– Secureworld
5 Rules to avoid the scam
This attack works because it looks like a normal work message. Detection therefore does not rely on “being good at computers,” but on simple and verifiable reflexes.
1. Check the actual wording of the email
First instinct, always. The name displayed may be Booking.com Support, but the real indicator is the full address behind it. So, check:
- exact domain (ex.
@booking.com≠@booking-support.com) - presence of similar characters (
bookìng,booklng,bokking) - misleading subdomains (
booking.com.secure-check[.]xyz)
👉 A legitimate professional email does not use homemade domains.
2. Be wary of “urgent operational” messages
Fraudulent messages almost always use:
- a financial emergency (payment blocked, imminent cancellation)
- an operational threat (account suspended, reservation lost)
- urgent vocabulary: immediate, action required, final reminder
👉 In real life, Booking, like Expedia or Agoda, does not make threats in one step and does not ask you to act immediately without an official channel..
3. Look at what the message is actually asking for
Major red flag if the email asks for:
- execute a command
- install a tool
- “fix” a system problem
- contact support via a link or number provided
👉 No booking platform requires any local technical action on a workstation. EVER.
4. Identify fake BSOD screens
If you have accidentally clicked on the link, here’s how to tell a real Windows blue screen from a fake one.
| True BSOD | False BSOD |
|---|---|
| Blocks the machine (nothing else can be done) | Appears in the browser |
| Does not display any instructions | Is often accompanied by explanatory text |
| No action required | Incides on “following the steps” or contacting support |
| Does not provide any links, QR codes, or contact information |
👉 As soon as an error screen asks for action: it’s suspicious.
5. Apply one simple rule
A clear rule, repeated and displayed:
In case of doubt or apparent emergency:
do not act alone. Alert someone.
In practical terms, the only defined channel (IT/advisor/management) is used to convey the message, and the affected workstation is isolated in case of doubt and before any repair attempts are made.
Important: no blame will be assigned in the event of a false alarm.
👉 An organisation that punishes doubt encourages attacks.
Key takeaways
This scam doesn’t work because people are naive. It works because it fits into everyday professional life. The best defense is to:
- Never click in an emergency.
- Take the time to check. Don’t rush. No panic.
- Never face an emergency alone.
Circulate information quickly among teams as soon as a suspicious message is identified. Feel free to share a screenshot and explain why it is a scam.
Conclusion: Cybersecurity is no longer just about technology. Well-constructed psychological manipulation can compromise an entire organisation.
A good defence also requires:
- understanding manipulation mechanisms
- behaviour-oriented training
- clear rules in emergency situations.
Going further
If you manage a hotel, travel agency or tourist rentals, we can offer you a personalised guide to best operational practices, specifically tailored to your business constraints: technical incidents, operational pressure, access to customer data and emergency management.
And to prepare effectively for a CyberIA crisis, we have developed a 360° approach that provides an operational framework capable, among other things, of anticipating possible scenarios, clarifying responsibilities and training teams to respond under pressure.
The installed malware
DCRat / AsyncRAT
The PHALT#BLYX infection chain results in the installation of a Remote Access Trojan (RAT) such as DCRat, an equivalent of AsyncRAT.
The goal is not just one-off compromise, but sustained access to compromised systems via a tool that hides behind official system processes.
This type of Trojan horse allows the hacker to👉
1 – View the screen
The hacker sees everything. The systems you use. The websites you visit. The messages you write, to whom, and when. They observe how you work, like a spy.
2 – Record keystrokes
Every keystroke is recorded. Usernames, passwords, searches, messages. The hacker retrieves everything you type.
3 – Obtain persistent access
Even after a restart, even if the user thinks that ‘the problem is solved’, the software remains. The hacker can return whenever they want, without repeating the attack.
4 – Exfiltrate data
Data visible or accessible from the workstation is copied and sent remotely. Customer data, documents, invoices, reservations, internal access. Exfiltration often occurs without immediate alert.
