Comprehensive Threat Exposure Management Platform
Hive Pro recognized in Gartner® Magic Quadrant™ for Exposure Assessment Platform, 2025 Watch platform in action
PHALT#BLYX is an active and sophisticated malware campaign first observed in late 2025 that specifically targets the European hospitality sector through highly deceptive phishing operations. The PHALT#BLYX campaign uses advanced social engineering techniques, including fake Booking.com reservation cancellations and ClickFix tactics combined with fake Blue Screen of Death (BSOD) displays to manipulate victims into manually executing malicious PowerShell commands on their Windows systems.
The PHALT#BLYX attack chain demonstrates technical sophistication by abusing legitimate Windows system tools, particularly MSBuild.exe, to bypass security controls and evade detection by endpoint protection solutions. The campaign deploys DCRat, a Russian-linked remote access trojan with extensive capabilities including keylogging, remote control, and process injection techniques. The malware’s Russian-language debug strings provide attribution indicators linking PHALT#BLYX to Russian-speaking threat actors.
Organizations in the hospitality industry face elevated risk from the PHALT#BLYX campaign and should implement enhanced monitoring for suspicious MSBuild.exe executions, unauthorized Windows Defender exclusion modifications, and network connections to command-and-control infrastructure operating on port 3535. The campaign’s focus on hotel staff handling online reservations makes security awareness training particularly critical for frontline hospitality employees.
The PHALT#BLYX campaign initiates attacks through carefully crafted phishing emails that impersonate Booking.com, one of the world’s most recognized online travel booking platforms. These PHALT#BLYX phishing messages use urgent booking cancellation scenarios with significant financial charges to create psychological pressure that compels recipients to click embedded malicious links without careful scrutiny. The targeting specifically focuses on European hospitality sector employees, particularly hotel staff members who regularly handle online reservations and booking modifications.
The social engineering tactics employed in PHALT#BLYX attacks exploit the time-sensitive nature of hospitality operations, where staff members must quickly address customer booking issues to maintain service quality. This pressure creates an environment where victims are more likely to bypass normal security precautions when confronted with what appears to be a legitimate booking cancellation requiring immediate attention.
When PHALT#BLYX victims click the malicious link in the phishing email, they are redirected to a convincing fake Booking.com webpage hosted on attacker-controlled infrastructure. This fraudulent page initially displays a fake browser error message stating “Loading is taking too long” accompanied by a “Refresh page” button designed to appear legitimate. When users click this button, the PHALT#BLYX attack triggers a browser-based full-screen fake Windows Blue Screen of Death display.
This fake BSOD represents a critical component of the PHALT#BLYX ClickFix technique, manipulating users into believing their system has experienced a critical error requiring immediate action. The fraudulent error screen instructs victims to press Windows+R to open the Run dialog and paste a command that has been silently copied to their clipboard by malicious JavaScript. This ClickFix social engineering technique in PHALT#BLYX attacks represents an evolution beyond traditional malware delivery, as it tricks users into manually executing malicious code rather than relying on automated exploitation of software vulnerabilities.
By following the fake BSOD instructions, PHALT#BLYX victims manually execute a malicious PowerShell command that initiates the infection chain. This PowerShell script downloads a malicious MSBuild project file (v.proj) and abuses MSBuild.exe, a legitimate Microsoft build tool included with the .NET Framework, to compile and execute the malicious payload locally on the compromised system. The PHALT#BLYX campaign’s abuse of MSBuild.exe represents a “living off the land” technique that helps the malware evade detection by security solutions that typically trust digitally-signed Microsoft binaries.
Before downloading additional payloads, the PHALT#BLYX malware adds comprehensive Windows Defender exclusions for the ProgramData directory and critical file extensions including .exe, .ps1, and .proj files. These exclusions disable antivirus scanning for the directories and file types used throughout the PHALT#BLYX infection chain, significantly reducing the likelihood of detection. If the malware is running without administrator privileges, PHALT#BLYX employs a “UAC Spam” technique that repeatedly prompts the victim for elevation through User Account Control dialogs until the user eventually grants administrator access out of frustration.
The PHALT#BLYX campaign establishes persistence through an unconventional Internet Shortcut file named DeleteApp.url placed in the Windows Startup folder. This persistence mechanism ensures the malware automatically executes each time the compromised system boots or the user logs in, maintaining long-term access even after system restarts.
The final payload deployed by PHALT#BLYX is a customized variant of DCRat, a well-documented remote access trojan with established links to Russian-speaking threat actors. The Russian attribution is evidenced by Russian-language debug strings embedded within the DCRat code used in PHALT#BLYX attacks. This DCRat variant provides extensive post-exploitation capabilities including complete remote control of the compromised system, keylogging functionality to capture sensitive credentials and communications, and process hollowing techniques that inject malicious code into legitimate Windows processes like aspnet_compiler.exe to hide malicious activities.
The PHALT#BLYX campaign demonstrates significant technical maturity and represents an evolution in cybercriminal tradecraft, highlighting how modern threats increasingly rely on sophisticated social engineering and abuse of trusted system tools rather than traditional software exploit-based delivery methods. This shift makes user awareness and behavioral detection capabilities more critical than ever for organizations defending against advanced threats like PHALT#BLYX.
Organizations must implement comprehensive security awareness training that specifically educates employees to recognize phishing emails using urgency, financial pressure, or impersonation of trusted platforms like Booking.com. PHALT#BLYX training should emphasize recognition of fake browser-based error screens and fake Blue Screen of Death displays that are characteristic of ClickFix attacks. Security training must reinforce the fundamental principle that legitimate system errors never instruct users to manually run commands through the Windows Run dialog or PowerShell, as this behavior is exclusively associated with malware campaigns like PHALT#BLYX.
Security teams should implement strict application control policies limiting the use of high-risk built-in tools such as msbuild.exe and powershell.exe for users who do not require these tools for legitimate development activities. Organizations should deploy Windows Defender Application Control (WDAC) or AppLocker policies to prevent unauthorized misuse of trusted binaries that PHALT#BLYX abuses. Continuous monitoring and alerting should be configured to detect unusual or user-initiated executions of MSBuild.exe, PowerShell, and other potentially dangerous system tools that may indicate PHALT#BLYX compromise.
Organizations must enable detailed process creation logging and command-line auditing across all endpoints to capture the execution chains characteristic of PHALT#BLYX attacks. PowerShell Script Block Logging should be activated to record malicious scripts executed during PHALT#BLYX infections. Endpoint Detection and Response (EDR) solutions should be tuned to specifically detect process injection techniques, persistence mechanisms, and defense evasion behaviors associated with DCRat and PHALT#BLYX malware.
Advanced email filtering solutions must be deployed to detect brand impersonation attempts and phishing campaigns targeting the hospitality sector like PHALT#BLYX. DNS and web gateway security controls should block newly registered domains and look-alike domains that imitate legitimate services such as Booking.com. Organizations should implement continuous phishing simulation testing to assess employee susceptibility to social engineering tactics and identify individuals requiring additional security training.
Security operations teams must create specific detection rules for abnormal MSBuild.exe and PowerShell execution chains indicative of PHALT#BLYX compromise. Incident response playbooks should be prepared specifically for remote access trojan infections like DCRat, outlining procedures for rapid system isolation, forensic analysis, and credential rotation. Organizations must ensure incident response capabilities include rapid containment of affected endpoints and thorough investigation to identify the full scope of PHALT#BLYX compromise across the environment.
IPv4 Addresses: 194[.]169[.]163[.]140, 193[.]221[.]200[.]233, 13[.]223[.]25[.]84
Malicious Domains: Oncameraworkout[.]com/ksbo, low-house[.]com, asj77[.]com, asj88[.]com, asj99[.]com, wmk77[.]com, 8eh18dhq9wd[.]click
Malicious URLs: hxxp[:]//2fa-bns[.]com
Malicious File Names: Ps1.ps1, payload_1.ps1, .ps1, v.proj, v.proj.ps1, Stub.exe/Staxs.exe/tydb7.exe, Stub.exe, DeleteApp.url, Wwigu.exe, Lbpyjxefa.dll
SHA256: cd3604fb9fe210261de11921ff1bea0a7bf948ad477d063e17863cede1fadc41, 13b25ae54f3a28f6d01be29bee045e1842b1ebb6fd8d6aca23783791a461d9dd, 9fac0304cfa56ca5232f61034a796d99b921ba8405166743a5d1b447a7389e4f, 9fc15d50a3df0ac7fb043e098b890d9201c3bb56a592f168a3a89e7581bc7a7d, bf374d8e2a37ff28b4dc9338b45bbf396b8bf088449d05f00aba3c39c54a3731, 11c1cfce546980287e7d3440033191844b5e5e321052d685f4c9ee49937fa688, 07845fcc83f3b490b9f6b80cb8ebde0be46507395d6cbad8bc57857762f7213a, 08037de4a729634fa818ddf03ddd27c28c89f42158af5ede71cf0ae2d78fa198, 2f3d0c15f1c90c5e004377293eaac02d441eb18b59a944b2f2b6201bb36f0d63, 33f0672159bb8f89a809b1628a6cc7dddae7037a288785cff32d9a7b24e86f4b, 6bd31dfd36ce82e588f37a9ad233c022e0a87b132dc01b93ebbab05b57e5defd, 1f520651958ae1ec9ee788eefe49b9b143630c340dbecd5e9abf56080d2649de, 9c891e9dc6fece95b44bb64123f89ddeab7c5efc95bf071fb4457996050f10a0, e68a69c93bf149778c4c05a3acb779999bc6d5bcd3d661bfd6656285f928c18e, 18c75d6f034a1ed389f22883a0007805c7e93af9e43852282aa0c6d5dafaa970, 91696f9b909c479be23440a9e4072dd8c11716f2ad3241607b542b202ab831ce
The PHALT#BLYX campaign requires significant infrastructure development including malicious domains, phishing pages, and command-and-control servers to support the multi-stage attack operation.
T1566 – Phishing: PHALT#BLYX utilizes phishing emails as the primary initial access vector targeting hospitality sector employees.
T1566.002 – Spearphishing Link: The campaign employs malicious links embedded in phishing emails that redirect victims to fake Booking.com pages hosting the ClickFix social engineering attack.
T1059 – Command and Scripting Interpreter: PHALT#BLYX relies heavily on PowerShell and MSBuild.exe for malicious code execution throughout the infection chain.
T1059.001 – PowerShell: Malicious PowerShell commands downloaded and executed by victims form the foundation of the PHALT#BLYX infection process.
T1204 – User Execution: The ClickFix technique manipulates users into manually executing malicious commands, making user interaction a critical component of PHALT#BLYX attacks.
T1204.001 – Malicious Link: Victims click malicious links in phishing emails to initiate the PHALT#BLYX attack sequence.
T1204.002 – Malicious File: Users execute malicious files downloaded through the PowerShell infection chain.
T1127 – Trusted Developer Utilities Proxy Execution: PHALT#BLYX abuses legitimate Microsoft build tools to execute malicious code.
T1127.001 – MSBuild: The campaign specifically exploits MSBuild.exe, a trusted Microsoft binary, to compile and execute malicious project files while evading security controls.
T1547 – Boot or Logon Autostart Execution: PHALT#BLYX establishes persistence to survive system reboots.
T1547.001 – Registry Run Keys / Startup Folder: The malware creates an Internet Shortcut file (DeleteApp.url) in the Windows Startup folder to ensure automatic execution.
T1562 – Impair Defenses: PHALT#BLYX actively disables security controls to avoid detection.
T1562.001 – Disable or Modify Tools: The malware adds Windows Defender exclusions for directories and file extensions used throughout the attack chain.
T1027 – Obfuscated Files or Information: PHALT#BLYX employs obfuscation techniques to conceal malicious code.
T1027.002 – Software Packing: The DCRat payload utilizes packing to evade signature-based detection.
T1036 – Masquerading: Malicious files use deceptive names and legitimate process injection to appear benign.
T1036.005 – Match Legitimate Name or Location: PHALT#BLYX malware components use names and locations that mimic legitimate system files.
T1140 – Deobfuscate/Decode Files or Information: The infection chain involves multiple stages of decoding and decompressing malicious payloads.
T1548 – Abuse Elevation Control Mechanism: PHALT#BLYX attempts to gain administrator privileges through User Account Control manipulation.
T1548.002 – Bypass User Account Control: The “UAC Spam” technique repeatedly prompts victims for elevation until administrator access is granted.
T1056 – Input Capture: DCRat deployed by PHALT#BLYX includes keylogging functionality to capture credentials.
T1056.001 – Keylogging: The remote access trojan records keystrokes to steal sensitive information including passwords and authentication credentials.
T1095 – Non-Application Layer Protocol: PHALT#BLYX establishes command-and-control communications using non-standard protocols.
T1055 – Process Injection: DCRat injects malicious code into legitimate processes to hide command-and-control activities.
T1055.012 – Process Hollowing: The malware hollows out legitimate binaries like aspnet_compiler.exe and replaces them with malicious code while maintaining the appearance of normal process execution.
Get through updates and upcoming events, and more directly in your inbox