216.73.217.139

Threat Research: PHALT#BLYX: Fake BSODs and Trusted Build Tools

· Published 09/01/2026 09:47 · Modified 09/01/2026 10:36

Export JSON

Essential information

Published
09/01/2026 09:47
Modified
09/01/2026 10:36
Tags
2026-01-09 asyncrat click-fix dcrat msbuild phishing process-hollowing social engineering
Related entities
20 observables, 1 intrusion sets (apt), 2 techniques (mitre), 2 malware, 9 others

Description

The PHALT#BLYX campaign targets the hospitality sector using sophisticated and advanced techniques. It begins with a email mimicking a Booking.com reservation cancellation, leading victims to a fake website. Users are tricked into executing malicious PowerShell commands through a fake BSOD and tactic. The malware leverages .exe to bypass defenses and deploys a customized payload. It establishes persistence, disables Windows Defender, and uses process hollowing to inject into legitimate processes. The campaign shows evolution from earlier, simpler methods and demonstrates a deep understanding of modern endpoint protection. Attribution points to Russian-speaking threat actors, given the presence of Cyrillic debug strings and the use of , a popular tool in Russian underground forums.

External references