Threat Research: PHALT#BLYX: Fake BSODs and Trusted Build Tools
Essential information
- Published
- 09/01/2026 09:47
- Modified
- 09/01/2026 10:36
- Tags
- 2026-01-09 asyncrat click-fix dcrat msbuild phishing process-hollowing social engineering
- Related entities
- 20 observables, 1 intrusion sets (apt), 2 techniques (mitre), 2 malware, 9 others
Description
The PHALT#BLYX campaign targets the hospitality sector using sophisticated social engineering and advanced techniques. It begins with a phishing email mimicking a Booking.com reservation cancellation, leading victims to a fake website. Users are tricked into executing malicious PowerShell commands through a fake BSOD and click-fix social engineering tactic. The malware leverages MSBuild.exe to bypass defenses and deploys a customized DCRat payload. It establishes persistence, disables Windows Defender, and uses process hollowing to inject into legitimate processes. The campaign shows evolution from earlier, simpler methods and demonstrates a deep understanding of modern endpoint protection. Attribution points to Russian-speaking threat actors, given the presence of Cyrillic debug strings and the use of DCRat, a popular tool in Russian underground forums.