{
  "name": "Threat Research: PHALT#BLYX: Fake BSODs and Trusted Build Tools",
  "slug": "threat-research-phaltblyx-fake-bsods-and-trusted-build-tools",
  "description": "The PHALT#BLYX campaign targets the hospitality sector using sophisticated social engineering and advanced techniques. It begins with a phishing email mimicking a Booking.com reservation cancellation, leading victims to a fake website. Users are tricked into executing malicious PowerShell commands through a fake BSOD and click-fix social engineering tactic. The malware leverages MSBuild.exe to bypass defenses and deploys a customized DCRat payload. It establishes persistence, disables Windows Defender, and uses process hollowing to inject into legitimate processes. The campaign shows evolution from earlier, simpler methods and demonstrates a deep understanding of modern endpoint protection. Attribution points to Russian-speaking threat actors, given the presence of Cyrillic debug strings and the use of DCRat, a popular tool in Russian underground forums.",
  "published": "2026-01-09T08:47:05+00:00",
  "created_at": "2026-01-09T08:47:05+00:00",
  "modified_at": "2026-01-09T09:36:31+00:00",
  "created_at_opencti": "2026-01-09T08:47:05+00:00",
  "author": "",
  "confidence": null,
  "report_types": [],
  "labels": [],
  "tags": [
    "2026-01-09",
    "asyncrat",
    "click-fix",
    "dcrat",
    "msbuild",
    "phishing",
    "process-hollowing",
    "social engineering"
  ],
  "related_entities": {
    "observables": [
      {
        "id": "",
        "name": "194.169.163.140"
      },
      {
        "id": "",
        "name": "https://2fa-bns.com/"
      },
      {
        "id": "",
        "name": "http://2fa-bns.com/win/ajsb.exe"
      },
      {
        "id": "",
        "name": "13b25ae54f3a28f6d01be29bee045e1842b1ebb6fd8d6aca23783791a461d9dd"
      },
      {
        "id": "",
        "name": "2f3d0c15f1c90c5e004377293eaac02d441eb18b59a944b2f2b6201bb36f0d63"
      },
      {
        "id": "",
        "name": "1f520651958ae1ec9ee788eefe49b9b143630c340dbecd5e9abf56080d2649de"
      },
      {
        "id": "",
        "name": "07845fcc83f3b490b9f6b80cb8ebde0be46507395d6cbad8bc57857762f7213a"
      },
      {
        "id": "",
        "name": "9c891e9dc6fece95b44bb64123f89ddeab7c5efc95bf071fb4457996050f10a0"
      },
      {
        "id": "",
        "name": "08037de4a729634fa818ddf03ddd27c28c89f42158af5ede71cf0ae2d78fa198"
      },
      {
        "id": "",
        "name": "33f0672159bb8f89a809b1628a6cc7dddae7037a288785cff32d9a7b24e86f4b"
      },
      {
        "id": "",
        "name": "cd3604fb9fe210261de11921ff1bea0a7bf948ad477d063e17863cede1fadc41"
      },
      {
        "id": "",
        "name": "e68a69c93bf149778c4c05a3acb779999bc6d5bcd3d661bfd6656285f928c18e"
      },
      {
        "id": "",
        "name": "18c75d6f034a1ed389f22883a0007805c7e93af9e43852282aa0c6d5dafaa970"
      },
      {
        "id": "",
        "name": "9fc15d50a3df0ac7fb043e098b890d9201c3bb56a592f168a3a89e7581bc7a7d"
      },
      {
        "id": "",
        "name": "bf374d8e2a37ff28b4dc9338b45bbf396b8bf088449d05f00aba3c39c54a3731"
      },
      {
        "id": "",
        "name": "9fac0304cfa56ca5232f61034a796d99b921ba8405166743a5d1b447a7389e4f"
      },
      {
        "id": "",
        "name": "91696f9b909c479be23440a9e4072dd8c11716f2ad3241607b542b202ab831ce"
      },
      {
        "id": "",
        "name": "11c1cfce546980287e7d3440033191844b5e5e321052d685f4c9ee49937fa688"
      },
      {
        "id": "",
        "name": "6bd31dfd36ce82e588f37a9ad233c022e0a87b132dc01b93ebbab05b57e5defd"
      },
      {
        "id": "",
        "name": "8d176cc0b442d32482b2489e01a38edc71df80e03db2099193be65fedc9a34a4"
      }
    ],
    "malware": [
      {
        "id": "f200fb60-5446-493f-9712-9f26d65956cc",
        "name": "AsyncRAT",
        "slug": "asyncrat"
      },
      {
        "id": "eb832bdd-0dcb-4866-8f63-4dd299798562",
        "name": "DCRat",
        "slug": "dcrat"
      }
    ],
    "intrusion_sets": [
      {
        "id": "fc14d11e-b187-4c6c-aec9-a96a39c2ca4c",
        "name": "PHALT#BLYX",
        "slug": "phaltblyx"
      }
    ],
    "attack_patterns": [
      {
        "id": "32b33067-6566-4b8d-be80-e96f765d84de",
        "name": "T1059.001"
      },
      {
        "id": "5999052b-e9ae-49e8-9235-d9bf975c22af",
        "name": "T1547.001"
      }
    ],
    "others": [
      {
        "id": "",
        "name": "Hospitality"
      },
      {
        "id": "",
        "name": "oncameraworkout.com"
      },
      {
        "id": "",
        "name": "wmk77.com"
      },
      {
        "id": "",
        "name": "asj88.com"
      },
      {
        "id": "",
        "name": "low-house.com"
      },
      {
        "id": "",
        "name": "8eh18dhq9wd.click"
      },
      {
        "id": "",
        "name": "2fa-bns.com"
      },
      {
        "id": "",
        "name": "asj77.com"
      },
      {
        "id": "",
        "name": "asj99.com"
      }
    ]
  },
  "external_refs": [
    "https://www.securonix.com/blog/analyzing-phaltblyx-how-fake-bsods-and-trusted-build-tools-are-used-to-construct-a-malware-infection",
    "https://otx.alienvault.com/pulse/6960ce99819838117ecc31a2"
  ]
}