Full Report
Source: Securonix Cybersecurity researchers have disclosed details of a new campaign dubbed PHALT#BLYX that has leveraged ClickFix-style lures to display fixes for fake blue screen of death (BSoD) errors in attacks targeting the European hospitality sector. The end goal of the multi-stage campaign is to deliver a remote access trojan known as DCRat, according to cybersecurity company Securonix.
Analysis Summary
# Tool/Technique: DCRat (Dark Crystal RAT)
## Overview
DCRat (Dark Crystal RAT) is a remote access trojan utilized as the final payload in the PHALT#BLYX campaign. Its purpose is to provide covert remote control and system compromise capabilities to the threat actor after initial execution and privilege escalation.
## Technical Details
- Type: Malware family (Remote Access Trojan - RAT)
- Platform: Windows (Implied by reliance on PowerShell, MSBuild.exe, and BSoD lures)
- Capabilities: Remote command execution, keystroke logging, system profiling, data exfiltration, cryptocurrency miner delivery (via plugins).
- First Seen: Details on DCRat's first appearance are not provided, but the PHALT#BLYX campaign was active in late December 2025.
## MITRE ATT&CK Mapping
- TA0011 - Command and Control
- T1071 - Application Layer Protocol
- TA0003 - Persistence
- T1547 - Boot or Logon Autostart Execution
- T1547.001 - Registry Run Keys / Startup Folder
- TA0005 - Defense Evasion
- T1027 - Obfuscated Files or Information
- T1562 - Impair Defenses
- T1562.001 - Disable or Modify Tools (Disabling/Excluding Defender)
- TA0002 - Execution
- T1059 - Command and Scripting Interpreter
- T1059.001 - PowerShell
- TA0009 - Collection
- T1056.001 - Input Capture: Keylogging
## Functionality
### Core Capabilities
- **Remote Access:** Connects to an external command and control (C2) server.
- **System Profiling:** Gathers information about the infected system.
- **Command Execution:** Allows remote actors to run arbitrary commands on the infected host.
- **Data Collection:** Capable of harvesting sensitive information, including keystrokes (via keylogging).
### Advanced Features
- **Plugin-based Architecture:** Can expand functionality through the loading of additional plugins.
- **Payload Delivery:** Used to deliver secondary payloads, such as a cryptocurrency miner.
- **Defense Evasion:** Actively attempts to configure Microsoft Defender Antivirus exclusions and can attempt to disable the security program entirely when running with administrator privileges.
## Indicators of Compromise
- File Hashes: [Not provided in the text]
- File Names: "v.proj" (MSBuild project file)
- Registry Keys: Persistence established in the **Startup folder**.
- Network Indicators:
- Initial lure link: low-house[.]com (defanged)
- Initial download source for MSBuild: 2fa-bns[.]com (defanged)
- Behavioral Indicators:
- Execution of PowerShell commands via user interaction prompted by a fake BSoD scenario.
- Use of `MSBuild.exe` to execute an embedded payload from the project file.
- Repeated UAC prompts (three times, two seconds apart) if initial execution lacks administrative rights.
- Modification of Microsoft Defender Antivirus exclusions.
- Launching of the legitimate Booking.com admin page as a distraction.
## Associated Threat Actors
- Threat actors associated with Russian threat groups (inferred from the Russian language used within the "v.proj" MSBuild file).
## Detection Methods
- Signature-based detection: Signatures for the DCRat binary payload.
- Behavioral detection: Monitoring for the sequential execution chain: Phishing link click -> Fake BSoD prompt -> PowerShell execution -> Use of `MSBuild.exe` to execute a downloaded project file -> Configuration of Defender exclusions -> Persistence setup in Startup folder.
- YARA rules: [Not provided in the text]
## Mitigation Strategies
- Prevention measures: User training focusing on recognizing sophisticated social engineering lures (e.g., fake Booking.com cancellations).
- Hardening recommendations: Ensure endpoint security solutions (like Microsoft Defender) are configured to monitor and block unusual execution of trusted binaries like `MSBuild.exe` against downloaded/suspicious files. Restrict execution environments where possible, adhering to Principle of Least Privilege to prevent easy UAC bypass attempts.
## Related Tools/Techniques
- **ClickFix-style lures:** Used for the initial social engineering vector.
- **Living Off The Land (LotL) Techniques:** Specifically noted reliance on abusing `MSBuild.exe`.
***
# Tool/Technique: PHALT#BLYX Campaign
## Overview
PHALT#BLYX is a multi-stage cyber campaign detected in late December 2025, targeting the European hospitality sector. It uses complex social engineering involving fake BSoD pages to ultimately deploy the DCRat malware.
## Technical Details
- Type: Campaign / Attack Framework (Utilizing multiple techniques)
- Platform: Windows (Implied)
- Capabilities: Phishing delivery, multi-stage execution, defense evasion, persistent RAT deployment.
- First Seen: Late December 2025
## MITRE ATT&CK Mapping
- TA0001 - Initial Access
- T1566 - Phishing
- T1566.001 - Spearphishing Attachment (Implied link delivery)
- TA0002 - Execution
- T1204 - User Execution (User interacts with BSoD instructions)
- TA0005 - Defense Evasion (Use of MSBuild and disabling Defender)
- TA0003 - Persistence (Startup folder configuration)
## Functionality
### Core Capabilities
- **Initial Access:** Utilizes phishing emails impersonating Booking.com to warn of fake reservation cancellations.
- **Execution Staging:** Redirects users to a fake website that displays a fake CAPTCHA and subsequently a fake BSoD page with malicious "recovery instructions."
- **Payload Delivery:** User follows instructions to execute malicious PowerShell code, which downloads and executes an MSBuild project file (`v.proj`) containing the final payload staging logic.
### Advanced Features
- **Distraction Mechanism:** Opens the legitimate Booking.com admin page in the browser to mask malicious activity and reassure the victim of legitimacy.
- **Aggressive Defender Tampering:** Prioritizes configuration of Windows Defender Antivirus exclusions and attempted comprehensive disabling of the protection service.
- **Targeting Signature:** Use of room charge details in Euros suggests specific targeting of European organizations.
## Indicators of Compromise
- File Hashes: [Not provided in the text]
- File Names: "v.proj" (The malicious MSBuild project file)
- Registry Keys: [Implied modification for persistence in Startup folder]
- Network Indicators:
- Initial lure domain: low-house[.]com (defanged)
- Download source for MSBuild/Payload: 2fa-bns[.]com (defanged)
- Behavioral Indicators: Chain reaction to trick a user into pasting and running a command in the Windows Run dialog box leading to PowerShell execution.
## Associated Threat Actors
- Threat actors linked to Russian infrastructure (based on language presence in the build file).
## Detection Methods
- Behavioral detection: Monitoring for user interaction leading to Shell execution (PowerShell) following navigation from an external link, particularly when paired with access to trusted Windows tools like MSBuild.
- Network/Domain Monitoring: Blocking the known lure and download domains.
## Mitigation Strategies
- Prevention measures: Implement deep DMARC/SPF policies on email systems to mitigate spoofing of travel/booking platforms.
- Hardening recommendations: Implement application control to restrict the execution of MSBuild outside of expected system processes; enhance monitoring for Defender exclusions being set programmatically.
## Related Tools/Techniques
- **ClickFix:** Mentioned as a style utilized for the BSoD lure mechanism.
- **DCRat:** The final goal payload of the campaign.