DCRat delivered through PowerShell and MSBuild in PHALT#BLYX
Malware Activity
Summary
Hide ▲
Show ▼
SHADOW#REACTOR is a multi-stage Windows malware campaign that uses obfuscated VBS, PowerShell, wscript.exe, MSBuild.exe, and in-memory loaders to stealthily deploy Remcos RAT. Researchers at Securonix Threat Research said the chain relies on text-based payload staging, repeated retrieval of encoded fragments from remote infrastructure, and abuse of trusted Windows tools to evade detection. The final payload gives operators remote control, file access, and command execution, and the activity appears to be an actively maintained modular framework. The researchers said there is insufficient evidence to link the campaign to a specific threat group or nation-state actor.
Related Happenings
KongTuke ClickFix and Teams access-seeking campaign
Campaign
H score33
First: 25.06.2026 11:54
Last: 25.06.2026 11:54
Sources 1
About this happening:
The **KongTuke** operation is using **ClickFix** lures and **Microsoft Teams** messages to widen access-seeking attacks against **multiple organizations**, increasing the risk of...
KongTuke ClickFix and Teams access-seeking campaign
CampaignAbout this happening: The **KongTuke** operation is using **ClickFix** lures and **Microsoft Teams** messages to widen access-seeking attacks against **multiple organizations**, increasing the risk of...
REF8372 malicious Google Ads CastleStealer delivery campaign
Campaign
H score27
First: 22.06.2026 16:20
Last: 22.06.2026 16:20
Sources 1
About this happening:
The **REF8372** campaign now uses **malicious Google Ads** and a fake **Node.js** download site to deliver **OXLOADER** and **CastleStealer**, putting search users at risk of malw...
REF8372 malicious Google Ads CastleStealer delivery campaign
CampaignAbout this happening: The **REF8372** campaign now uses **malicious Google Ads** and a fake **Node.js** download site to deliver **OXLOADER** and **CastleStealer**, putting search users at risk of malw...
Microsoft 365 Copilot Enterprise SearchLeak remote code execution flaw (CVE-2026-42824)
Vulnerability
H score34
First: 15.06.2026 16:00
Last: 15.06.2026 16:00
Sources 1
About this happening:
**Microsoft 365 Copilot Enterprise Search** has a **critical** vulnerability chain, **SearchLeak**, that could let a user leak **emails, calendar details, MFA codes, and indexed f...
Microsoft 365 Copilot Enterprise SearchLeak remote code execution flaw (CVE-2026-42824)
VulnerabilityAbout this happening: **Microsoft 365 Copilot Enterprise Search** has a **critical** vulnerability chain, **SearchLeak**, that could let a user leak **emails, calendar details, MFA codes, and indexed f...
Fake AI study guide AsyncRAT lure campaign targeting Windows users
Campaign
H score33
First: 11.06.2026 17:00
Last: 11.06.2026 17:00
Sources 1
About this happening:
A **malware-luring campaign** now uses fake **AI study guides** and **developer resources** to target **Windows users** at organizations, increasing the risk of stealthy **AsyncRA...
Fake AI study guide AsyncRAT lure campaign targeting Windows users
CampaignAbout this happening: A **malware-luring campaign** now uses fake **AI study guides** and **developer resources** to target **Windows users** at organizations, increasing the risk of stealthy **AsyncRA...
OP-512 Microsoft IIS espionage campaign
Campaign
H score52
First: 05.06.2026 15:33
Last: 05.06.2026 15:33
Sources 1
About this happening:
**OP-512** is an active **espionage campaign** targeting **Microsoft IIS servers** with a **bespoke web shell framework**, increasing the risk of stealthy remote access on exposed...
OP-512 Microsoft IIS espionage campaign
CampaignAbout this happening: **OP-512** is an active **espionage campaign** targeting **Microsoft IIS servers** with a **bespoke web shell framework**, increasing the risk of stealthy remote access on exposed...
Timeline
-
06.01.2026 14:13 4 articles · 6mo ago
DCRat delivered through PowerShell and MSBuild in PHALT#BLYX
Initial DisclosureA **phishing lure impersonating Booking.com** pushed victims to a fake cancellation page that instructed them to run a command in the Windows Run dialog. That initial step kicked off the **PowerShell** chain that later loaded **DCRat** through **MSBuild.exe**.
Show sources
- Fake Booking Emails Redirect Hotel Staff to Fake BSoD Pages Delivering DCRat — thehackernews.com — 06.01.2026 14:13
- Fake Booking Emails Redirect Hotel Staff to Fake BSoD Pages Delivering DCRat — thehackernews.com — 06.01.2026 14:13
- Hospitality Sector Hit By PHALT#BLYX ClickFix Malware Campaign — www.infosecurity-magazine.com — 06.01.2026 18:15
- SHADOW#REACTOR Campaign Uses Text-Only Staging to Deploy Remcos RAT — www.infosecurity-magazine.com — 13.01.2026 18:00