Overview
- Phishing messages pose as reservation cancellations and route hotel staff to high‑fidelity Booking.com clones hosted on domains such as low-house[.]com.
- The site shows a CAPTCHA followed by a full‑screen fake BSOD that instructs users to paste a command, which runs a PowerShell dropper while opening the real Booking.com admin page as a decoy.
- The dropper retrieves an MSBuild project (v.proj) from 2fa-bns[.]com, executes it via MSBuild.exe to compile a .NET payload, configures Microsoft Defender exclusions, repeatedly triggers UAC prompts for elevation, and sets Startup persistence.
- The resulting malware is DCRat, a .NET RAT that enables remote control, keylogging, command execution, and delivery of additional payloads, including a cryptocurrency miner observed in at least one case.
- Researchers observed activity in late December 2025 and published details this week, noting euro‑denominated lures and Russian‑language artifacts that suggest European targeting and possible Russian‑language links without firm attribution.