Find notable cyber news and cases, enriched with sources, timelines, and signals.

DCRat delivered through PowerShell and MSBuild in PHALT#BLYX

Malware Activity
First reported
Last updated
Happening score
H score 23
2 unique sources, 3 articles

Summary

Hide ▲

SHADOW#REACTOR is a multi-stage Windows malware campaign that uses obfuscated VBS, PowerShell, wscript.exe, MSBuild.exe, and in-memory loaders to stealthily deploy Remcos RAT. Researchers at Securonix Threat Research said the chain relies on text-based payload staging, repeated retrieval of encoded fragments from remote infrastructure, and abuse of trusted Windows tools to evade detection. The final payload gives operators remote control, file access, and command execution, and the activity appears to be an actively maintained modular framework. The researchers said there is insufficient evidence to link the campaign to a specific threat group or nation-state actor.

Related Happenings

KongTuke ClickFix and Teams access-seeking campaign

Campaign
H score33 First: 25.06.2026 11:54 Last: 25.06.2026 11:54 Sources 1

About this happening: The **KongTuke** operation is using **ClickFix** lures and **Microsoft Teams** messages to widen access-seeking attacks against **multiple organizations**, increasing the risk of...

REF8372 malicious Google Ads CastleStealer delivery campaign

Campaign
H score27 First: 22.06.2026 16:20 Last: 22.06.2026 16:20 Sources 1

About this happening: The **REF8372** campaign now uses **malicious Google Ads** and a fake **Node.js** download site to deliver **OXLOADER** and **CastleStealer**, putting search users at risk of malw...

Microsoft 365 Copilot Enterprise SearchLeak remote code execution flaw (CVE-2026-42824)

Vulnerability
H score34 First: 15.06.2026 16:00 Last: 15.06.2026 16:00 Sources 1

About this happening: **Microsoft 365 Copilot Enterprise Search** has a **critical** vulnerability chain, **SearchLeak**, that could let a user leak **emails, calendar details, MFA codes, and indexed f...

Fake AI study guide AsyncRAT lure campaign targeting Windows users

Campaign
H score33 First: 11.06.2026 17:00 Last: 11.06.2026 17:00 Sources 1

About this happening: A **malware-luring campaign** now uses fake **AI study guides** and **developer resources** to target **Windows users** at organizations, increasing the risk of stealthy **AsyncRA...

OP-512 Microsoft IIS espionage campaign

Campaign
H score52 First: 05.06.2026 15:33 Last: 05.06.2026 15:33 Sources 1

About this happening: **OP-512** is an active **espionage campaign** targeting **Microsoft IIS servers** with a **bespoke web shell framework**, increasing the risk of stealthy remote access on exposed...

Timeline

  1. 06.01.2026 14:13 4 articles · 6mo ago

    DCRat delivered through PowerShell and MSBuild in PHALT#BLYX

    Initial Disclosure

    A **phishing lure impersonating Booking.com** pushed victims to a fake cancellation page that instructed them to run a command in the Windows Run dialog. That initial step kicked off the **PowerShell** chain that later loaded **DCRat** through **MSBuild.exe**.

    Show sources