DCRat delivered through PowerShell and MSBuild in PHALT#BLYX
Malware Activity
Summary
Hide ▲
Show ▼
SHADOW#REACTOR is a multi-stage Windows malware campaign that uses obfuscated VBS, PowerShell, wscript.exe, MSBuild.exe, and in-memory loaders to stealthily deploy Remcos RAT. Researchers at Securonix Threat Research said the chain relies on text-based payload staging, repeated retrieval of encoded fragments from remote infrastructure, and abuse of trusted Windows tools to evade detection. The final payload gives operators remote control, file access, and command execution, and the activity appears to be an actively maintained modular framework. The researchers said there is insufficient evidence to link the campaign to a specific threat group or nation-state actor.
Related Happenings
Godzilla (BLUEBEAM) web shell and Cobalt Strike deployment via KnowledgeDeliver exploitation
Malware Activity
First: 26.05.2026 08:19
Last: 26.05.2026 08:19
Sources 1
About this happening:
The **Godzilla (BLUEBEAM)** web shell is now being used after **CVE-2026-5426** exploitation to run commands and stage **Cobalt Strike Beacon**, giving attackers a durable foothol...
Godzilla (BLUEBEAM) web shell and Cobalt Strike deployment via KnowledgeDeliver exploitation
Malware ActivityAbout this happening: The **Godzilla (BLUEBEAM)** web shell is now being used after **CVE-2026-5426** exploitation to run commands and stage **Cobalt Strike Beacon**, giving attackers a durable foothol...
ACSC ClickFix mitigation guidance for Vidar Stealer
Advisory/Mitigation
First: 07.05.2026 21:00
Last: 07.05.2026 21:00
Sources 1
About this happening:
The **ACSC** issued mitigation guidance for an **ongoing ClickFix campaign** that is pushing **Vidar Stealer** through **malicious PowerShell commands**, increasing credential-the...
ACSC ClickFix mitigation guidance for Vidar Stealer
Advisory/MitigationAbout this happening: The **ACSC** issued mitigation guidance for an **ongoing ClickFix campaign** that is pushing **Vidar Stealer** through **malicious PowerShell commands**, increasing credential-the...
APT28 Windows Shell LNK campaign targeting Ukraine and E.U. nations
Campaign
First: 28.04.2026 08:50
Last: 28.04.2026 08:50
Sources 1
About this happening:
A **December 2025** **APT28** campaign targeted **Ukraine** and **E.U. nations** with a **malicious Windows Shortcut (LNK)** chain that bypassed **Microsoft Defender SmartScreen**...
APT28 Windows Shell LNK campaign targeting Ukraine and E.U. nations
CampaignAbout this happening: A **December 2025** **APT28** campaign targeted **Ukraine** and **E.U. nations** with a **malicious Windows Shortcut (LNK)** chain that bypassed **Microsoft Defender SmartScreen**...
External Microsoft Teams helpdesk-impersonation campaign
Campaign
First: 20.04.2026 18:11
Last: 20.04.2026 18:11
Sources 1
About this happening:
A **campaign** abusing **external Microsoft Teams collaboration** is letting attackers impersonate **IT/helpdesk staff**, gain remote access, and stage **targeted data exfiltratio...
External Microsoft Teams helpdesk-impersonation campaign
CampaignAbout this happening: A **campaign** abusing **external Microsoft Teams collaboration** is letting attackers impersonate **IT/helpdesk staff**, gain remote access, and stage **targeted data exfiltratio...
Storm-1175 high-tempo Medusa ransomware campaign
Campaign
First: 07.04.2026 13:02
Last: 07.04.2026 13:02
Sources 1
About this happening:
**Storm-1175** is running a **high-tempo Medusa ransomware campaign** that has repeatedly exploited **n-day and zero-day flaws** to gain initial access before patching closes the...
Storm-1175 high-tempo Medusa ransomware campaign
CampaignAbout this happening: **Storm-1175** is running a **high-tempo Medusa ransomware campaign** that has repeatedly exploited **n-day and zero-day flaws** to gain initial access before patching closes the...
Timeline
-
06.01.2026 14:13 4 articles · 4mo ago
DCRat delivered through PowerShell and MSBuild in PHALT#BLYX
Initial DisclosureA **phishing lure impersonating Booking.com** pushed victims to a fake cancellation page that instructed them to run a command in the Windows Run dialog. That initial step kicked off the **PowerShell** chain that later loaded **DCRat** through **MSBuild.exe**.
Show sources
- Fake Booking Emails Redirect Hotel Staff to Fake BSoD Pages Delivering DCRat — thehackernews.com — 06.01.2026 14:13
- Fake Booking Emails Redirect Hotel Staff to Fake BSoD Pages Delivering DCRat — thehackernews.com — 06.01.2026 14:13
- Hospitality Sector Hit By PHALT#BLYX ClickFix Malware Campaign — www.infosecurity-magazine.com — 06.01.2026 18:15
- SHADOW#REACTOR Campaign Uses Text-Only Staging to Deploy Remcos RAT — www.infosecurity-magazine.com — 13.01.2026 18:00