PHALT#BLYX ClickFix phishing campaign targets European hospitality with DCRat
Campaign
Summary
Hide ▲
Show ▼
PHALT#BLYX is an active ClickFix-style phishing campaign that targets the European hospitality sector and uses Booking.com-themed reservation-cancellation lures to push victims into running malicious PowerShell. The operation matters because fake CAPTCHA pages and bogus BSoD recovery prompts are used to trigger code execution, enabling MSBuild.exe-based payload delivery, Defender tampering, and DCRat installation.
Related Happenings
Fake AI study guide AsyncRAT lure campaign targeting Windows users
Campaign
H score33
First: 11.06.2026 17:00
Last: 11.06.2026 17:00
Sources 1
About this happening:
A **malware-luring campaign** now uses fake **AI study guides** and **developer resources** to target **Windows users** at organizations, increasing the risk of stealthy **AsyncRA...
Fake AI study guide AsyncRAT lure campaign targeting Windows users
CampaignAbout this happening: A **malware-luring campaign** now uses fake **AI study guides** and **developer resources** to target **Windows users** at organizations, increasing the risk of stealthy **AsyncRA...
KongTuke Microsoft Teams initial access campaign
Campaign
H score42
First: 14.05.2026 15:12
Last: 14.05.2026 15:12
Sources 1
About this happening:
The **KongTuke** campaign now uses **Microsoft Teams** social engineering to gain persistent access to **corporate networks**, shortening initial compromise to **under five minute...
KongTuke Microsoft Teams initial access campaign
CampaignAbout this happening: The **KongTuke** campaign now uses **Microsoft Teams** social engineering to gain persistent access to **corporate networks**, shortening initial compromise to **under five minute...
Silver Fox South Asia phishing campaign
Campaign
H score34
First: 24.03.2026 18:00
Last: 24.03.2026 18:00
Sources 1
About this happening:
The **Silver Fox** campaign now includes **BYOVD** abuse of a previously unknown **WatchDog Anti-malware** driver, **amsdk.sys (version 1.0.600)**, to disable security tools on co...
Silver Fox South Asia phishing campaign
CampaignAbout this happening: The **Silver Fox** campaign now includes **BYOVD** abuse of a previously unknown **WatchDog Anti-malware** driver, **amsdk.sys (version 1.0.600)**, to disable security tools on co...
Microsoft Teams Quick Assist A0Backdoor phishing campaign
Campaign
H score32
First: 10.03.2026 00:50
Last: 10.03.2026 00:50
Sources 1
About this happening:
The **Microsoft Teams** phishing campaign is tricking employees at **financial and healthcare organizations** into starting **Quick Assist** remote sessions, creating an immediate...
Microsoft Teams Quick Assist A0Backdoor phishing campaign
CampaignAbout this happening: The **Microsoft Teams** phishing campaign is tricking employees at **financial and healthcare organizations** into starting **Quick Assist** remote sessions, creating an immediate...
A0Backdoor malware deployed through signed MSI sideloading and DNS MX C2
Malware Activity
H score22
First: 10.03.2026 00:50
Last: 10.03.2026 00:50
Sources 1
About this happening:
The **A0Backdoor** malware was deployed on **Windows endpoints** through **digitally signed MSI installers** and **DLL sideloading**, giving the operators a stealthier path to exe...
A0Backdoor malware deployed through signed MSI sideloading and DNS MX C2
Malware ActivityAbout this happening: The **A0Backdoor** malware was deployed on **Windows endpoints** through **digitally signed MSI installers** and **DLL sideloading**, giving the operators a stealthier path to exe...
Timeline
-
06.01.2026 14:13 2 articles · 6mo ago
PHALT#BLYX ClickFix phishing campaign targets European hospitality with DCRat
Initial DisclosureThe initial access phase starts with a phishing email impersonating **Booking.com** and warning recipients about an unexpected reservation cancellation. A fake website then presents a bogus **CAPTCHA** and **BSoD** recovery prompt that tries to get the victim to paste and execute a command in Windows Run.
Show sources
- Fake Booking Emails Redirect Hotel Staff to Fake BSoD Pages Delivering DCRat — thehackernews.com — 06.01.2026 14:13
- Fake Booking Emails Redirect Hotel Staff to Fake BSoD Pages Delivering DCRat — thehackernews.com — 06.01.2026 14:13