PHALT#BLYX: Fake BSODs and Trusted Build Tools Power a New Malware Campaign

Published Date: January 7, 2026
Category: ShadowOpsIntel
Share:

The PHALT#BLYX campaign is a multi-stage malware infection targeting the hospitality sector, leveraging fake Booking[.]com lures, click-fix social engineering, and fake Blue Screen of Death (BSOD) tactics. Attackers abuse trusted Windows utilities (MSBuild.exe) to execute malicious code, ultimately deploying a customized DCRat (AsyncRAT variant) for remote control, persistence, and secondary payload delivery.

Severity: High

Key Findings

  • Target Industry: Specifically targets European hospitality organizations, often using phishing lures themed around Booking[.]com reservation cancellations.
  • Attribution: The campaign is linked to Russian-speaking threat actors due to the use of DCRat (commonly sold on Russian forums) and native Russian debug strings found in the malware’s project files.
  • Tactical Shift: Attackers have evolved from using simpler .hta files to more evasive “Living off the Land” techniques, specifically abusing MSBuild.exe to bypass traditional security controls.

The Multi-stage Attack Chain

  1. Initial Access: Victims receive a phishing email regarding a high-value reservation charge (€1,004.38) to create urgency.
  2. Social Engineering (ClickFix): A link leads to a high-fidelity clone of Booking[.]com that displays a fake “Blue Screen of Death” (BSOD).
  3. Clipboard Injection: The page instructs the user to “fix” the crash by opening the Windows Run dialog and pressing Ctrl+V and Enter. This executes a malicious PowerShell command silently copied to the user’s clipboard.
  4. Staging (MSBuild): The PowerShell script searches for the legitimate msbuild.exe binary and uses it to execute a downloaded malicious project file (v.proj).
  5. Defense Evasion: The malware attempts to “blind” Windows Defender by adding the entire C:\ProgramData directory and common script extensions (.exe, .ps1, .proj) to its exclusion list.
  6. Final Payload: The loader (staxs.exe) injects DCRat into a legitimate system process (aspnet_compiler.exe) for remote access and potential secondary payload delivery.

Malware Capabilities

  • Remote Access: DCRat provides full remote control, including process hollowing, keylogging, and screen streaming.
  • Persistence: Establishes persistence by placing a .url file (disguised as “DeleteApp.url”) in the Windows Startup folder.
  • Information Stealing: Gathers extensive victim data, including hardware IDs, usernames, OS details, and the title of the active window.

Recommendations

  1. Educate employees to recognize social engineering that uses fake browser crashes, CAPTCHAs, or Blue Screen of Death (BSOD) simulations.
  2. Explicitly warn users never to paste script code into the Windows Run dialog (Win + R) or PowerShell terminals when prompted by a website.
  3. Staff in the hospitality sector should be cautious of urgent financial demands from services like Booking[.]com and should verify such requests through official, out-of-band channels rather than clicking email links.
  4. Ensure Windows is configured to show file extensions so users can identify suspicious files (e.g., seeing a .url or .proj file instead of a standard document).
  5. Set alerts for any attempts to add broad directories (like %ProgramData%) or common script extensions (like .exe, .ps1, .proj, .tmp) to antivirus exclusion lists, as this is a primary evasion tactic used in this campaign.
  6. Monitor for MSBuild.exe executing project files from non-standard or user-writable directories like %ProgramData%.
  7. Alert on any instances where MSBuild.exe establishes external network connections.
  8. Regularly audit the Windows Startup folder for suspicious files, particularly .url files with deceptive names like “DeleteApp.url” that point to local executables using the file:// protocol.
  9. Be alert for outbound traffic on custom ports like 3535, which is used by the DCRat payload for C2 communication.
  10. Block the IOCs at their respective controls
    https://www.virustotal.com/gui/collection/ec6586835e216bc786d01aeb89e6ad1c71741ebc3f9031a941c8ef019d5c03f0/iocs

Source:

  • https://www.securonix.com/blog/analyzing-phaltblyx-how-fake-bsods-and-trusted-build-tools-are-used-to-construct-a-malware-infection/

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn

No related posts found.

Ampcus Cyber
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.

 Talk to an expert