Inside the ClickFix Campaign: How Hospitality Firms Were Hit with DCRat Remote Access Attacks
Executive Summary
In early 2024, a sophisticated phishing campaign known as 'ClickFix' targeted organizations in the hospitality sector with convincing fake 'Blue Screen of Death' error messages. Attackers leveraged social engineering techniques combined with a legitimate Microsoft utility to trick victims into executing malicious payloads. Once engaged, the attack delivered the DCRat remote access trojan, granting cybercriminals ongoing access and control over affected systems. The campaign demonstrated how legitimate tools and realistic lures can bypass conventional defenses, resulting in compromised credentials, lateral network movement, and potential data exfiltration.
This incident reflects a wider trend of threat actors increasingly turning to legitimate software and advanced social engineering to evade detection. Remote access trojans like DCRat continue to be used in targeted attacks, particularly against sectors with complex digital footprints and limited security controls, making it vital for organizations to adapt their threat detection capabilities.
Why This Matters Now
The use of convincing system error impersonations and legitimate tools in the ClickFix campaign marks an escalation in attacker sophistication, which can deceive even tech-savvy users. With remote access trojans like DCRat on the rise and attackers actively targeting verticals like hospitality, organizations must strengthen east-west security controls and invest in advanced threat detection to respond to evolving, high-impact phishing campaigns.
Attack Path Analysis
The attackers initiated their campaign by using social engineering and a fake Blue Screen of Death to trick users in the hospitality sector into executing a malicious payload leveraging a legitimate Microsoft tool. After establishing a foothold, the attackers likely attempted to escalate privileges to achieve persistence and expand access. With the DCRat remote access trojan deployed, attackers may have explored the cloud environment, attempting lateral movement to reach sensitive systems. The DCRat RAT enabled outbound communication for command and control, maintaining attacker access. Once entrenched, attackers attempted exfiltration of sensitive data or credentials via outbound channels. The ultimate impact could include data theft, disruption of operations, or further malware deployment.
Kill Chain Progression
Initial Compromise
Description
Attackers used a fake Blue Screen of Death and social engineering to trick users into running a malicious payload with a legitimate Microsoft tool, deploying the DCRat RAT.
Related CVEs
CVE-2025-24813
CVSS 9.8A critical remote code execution vulnerability in Apache Tomcat due to a path equivalency flaw, allowing attackers to execute arbitrary code on affected systems.
Affected Products:
Apache Tomcat – 11.0.0-M1 to 11.0.2, 10.1.0-M1 to 10.1.34, 9.0.0.M1 to 9.0.98
Exploit Status:
exploited in the wildCVE-2025-23209
CVSS 8.1A high-severity code injection vulnerability in Craft CMS versions 4 and 5, allowing remote code execution due to compromised user security keys.
Affected Products:
Pixel & Tonic Craft CMS – 4.x, 5.x
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Phishing: Spearphishing Attachment
User Execution: Malicious File
Signed Binary Proxy Execution: Compiled HTML File
Remote Access Software
Command and Scripting Interpreter: Windows Command Shell
Event Triggered Execution: Component Object Model Hijacking
Process Injection
Ingress Tool Transfer
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Security Awareness Training
Control ID: 12.6.1
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Requirements
Control ID: Article 9
CISA ZTMM 2.0 – User Security Training
Control ID: Governance – Awareness & Training
NIS2 Directive – Incident Handling – Security in Network and Information Systems
Control ID: Article 21(2)(d)
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Hospitality
Primary target of DCRat campaigns using fake BSOD social engineering, requiring enhanced threat detection, egress security, and zero trust segmentation for guest systems.
Information Technology/IT
Critical infrastructure vulnerable to remote access trojans exploiting legitimate Microsoft tools, demanding comprehensive threat detection, anomaly response, and inline IPS capabilities.
Computer/Network Security
Direct threat vector exposure requiring advanced multicloud visibility, encrypted traffic analysis, and cloud native security fabric deployment against sophisticated social engineering attacks.
Health Care / Life Sciences
High-value target requiring HIPAA compliance alignment with zero trust segmentation, encrypted traffic protection, and robust threat detection against DCRat infiltration attempts.
Sources
- ClickFix Campaign Serves Up Fake Blue Screen of Deathhttps://www.darkreading.com/cyberattacks-data-breaches/clickfix-campaign-fake-blue-screen-of-deathVerified
- Fake Booking.com lures and BSoD scams spread DCRat in European hospitality sectorhttps://securityaffairs.com/186606/cyber-crime/fake-booking-com-lures-and-bsod-scams-spread-dcrat-in-european-hospitality-sector.htmlVerified
- PHALT#BLYX Campaign Uses Fake Booking.com Alerts to Deploy DCRat in European Hospitality Attackshttps://www.thecybersyrup.com/p/phalt-blyx-campaign-uses-fake-booking-com-alerts-to-deploy-dcrat-in-european-hospitality-attacksVerified
- CISA Adds Four Known Exploited Vulnerabilities to Cataloghttps://www.cisa.gov/news-events/alerts/2024/09/30/cisa-adds-four-known-exploited-vulnerabilities-catalogVerified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Enforcing Zero Trust segmentation, robust egress controls, east-west traffic inspection, and threat detection would have limited the attacker’s ability to move laterally, establish command and control, and exfiltrate data at multiple stages of the kill chain.
Control: Threat Detection & Anomaly Response
Mitigation: Abnormal user or endpoint actions are detected as possible initial compromise.
Control: Zero Trust Segmentation
Mitigation: Lateral movement and privilege escalation attempts are restricted by granular access controls.
Control: East-West Traffic Security
Mitigation: Lateral movement between workloads is prevented or detected.
Control: Egress Security & Policy Enforcement
Mitigation: Outbound C2 channels are blocked, disrupted, or logged.
Control: Encrypted Traffic (HPE) and Inline IPS (Suricata)
Mitigation: Data exfiltration attempts are detected and blocked in transit.
Automated, distributed enforcement detects and contains harmful actions.
Impact at a Glance
Affected Business Functions
- Reservations
- Check-in systems
- Payment processing
Estimated downtime: 3 days
Estimated loss: $50,000
Potential exposure of customer personal and payment information due to unauthorized access facilitated by DCRat.
Recommended Actions
Key Takeaways & Next Steps
- • Enforce east-west traffic segmentation and microsegmentation across your cloud and hybrid network to limit lateral movement.
- • Deploy rigorous egress controls and URL/domain filtering to detect and block outbound command & control and exfiltration attempts.
- • Implement real-time anomaly detection and distributed threat response to identify initial access and malicious activity early.
- • Require least privilege access and identity-based segmentation to minimize the blast radius if credentials are compromised.
- • Integrate central, multi-cloud visibility tools for rapid detection, auditing, and policy enforcement across environments.
