Phishing is one of the oldest social engineering tricks in a threat actor’s playbook, a tried-and-true technique that continues to pay out as attacks and defenses advance over time. Rather than stagnating in the face of evolving technology and methods, phishing has matured from crude deception into immersive, multi-step experiences. More modern phishing attacks, like the PHALT#BLYX campaign tracked by threat researchers at Securonix, are designed to manipulate user behavior through several actions rather than exploit software bugs.
Why Hospitality Is in the Crosshairs
Hotels and other organizations in the hospitality industry make appealing targets to attackers for a range of reasons. These companies often have high turnover, hindering the ability to maintain a staff educated against phishing attacks. They deal with constant reservation activity and connectivity with third-party booking platforms like booking.com, creating a flurry of information that is difficult to sift through. The time-sensitive workflows in hospitality also reward speed over scrutiny, amplifying the risks of social engineering attacks.
Anatomy of the PHALT#BLYX Campaign
The campaign tracked by Securonix threat researchers is a complex attack with multiple steps. It begins with a phishing email claiming to be a booking.com reservation cancellation, threatening to charge upwards of €1,000 in order to create a sense of urgency. The email leads targets to a spoofed website designed to appear like booking.com, which contains a fake CAPTCHA that leads to a browser error and fake “Blue Screen of Death” (BSOD) page. These steps all have to occur to prime the victim for the coming ClickFix trap.
ClickFix: When the Victim Becomes the Exploit
ClickFix attacks work by deceiving users into executing malicious commands themselves on their own devices, rather than using tactics like exploits or hacking to carry out malicious activity. In the PHALT#BLYX campaign, the fake BSOD instructs users to press certain key combinations that quietly execute attacker-supplied PowerShell commands on the target device. Thinking that they are taking steps to fix an error that has occurred, victims of these attacks are actually executing the malicious code themselves.
Living Off the Land With MSBuild
The attackers in this campaign leverage MSBuild to compile and execute a malicious file titled “v.project.” This file, downloaded by the unsuspecting target’s PowerShell command, allows the attackers to blend in with legitimate system activity to avoid detection, while also disabling defenses and achieving persistence on the target device. This type of living-off-the-land attack enables threat actors to maintain a presence on target systems using legitimate native tools.
Defending against this sort of technique requires sophisticated security tools with behavioral analysis capabilities. Because the use of tools like PowerShell and MSBuild in itself cannot be entirely prohibited or automatically marked as malicious, it is crucial to establish a baseline of what normal system activity looks like in order to detect and discern when abnormal behavior is taking place.
DCRat’s Role in the Endgame
The attack’s final payload is a customized version of DCRat, a variant of the open-source AsyncRAT malware codebase. The malware is heavily obfuscated and can carry out a variety of malicious actions, including process hollowing, keylogging, persistent remote access, and dropping secondary payloads. Measures like privilege checks, UAC spam, and .NET execution enhance resilience and operational security, enabling ongoing persistence and effectiveness of these attacks.
Geographic Signals and Threat Actor Clues
While the threat actor behind this campaign is unconfirmed, there are clues that point toward certain types of attackers. The use of euro-dominated charges indicates the likely proliferation of this attack against EU-based victims. The DCRat variant of malware is also widely distributed in underground Russian forums, and the “v.project” MSBuild file contains Russian-language components, pointing to potential Russian ties to the campaign.
Why Traditional Defenses Struggle Here
Many things about the PHALT#BLYX campaign serve to protect the attacks against traditional defense mechanisms. The use of trusted tools, execution initiated by the user, and fileless techniques undermines signature-based detection efforts as well as many conventional email and endpoint security controls.
The use of mobile vectors and ClickFix tactics helps to engineer an attack that is able to evade many traditional defenses. “A mobile-first attack strategy allows threat actors to bypass traditional perimeter, email, and network defenses by pushing users to interact directly with malicious content on their phones, where visibility and enforcement are often weaker,” says Kern Smith, Senior Vice President of Global Solutions Engineering at Zimperium. “By combining trusted brand lures, browser-based deception, and post-click execution, attackers can scale these campaigns globally with a higher success rate and lower risk of detection.”
What Security Teams Should Take Away
The PHALT#BLYX campaign presents lessons that defenders should pay attention to in order to protect against similar attacks in the future. It emphasizes the importance of user education that goes beyond telling employees not to click links to inform them of the evolving dangers of phishing and other social engineering attacks. Security experts should also see this campaign as a sign to implement tighter controls on scripting and build tools, monitoring for abnormal MSBuild usage, and behavioral detection over traditional static indicators.
The Bigger Picture: Phishing as Theater
This campaign points to larger trends in the threat landscape that are likely to remain relevant moving forward. PHALT#BLYX is not an isolated incident, but one part of a broader evolution of attacks. More and more threat actors are staging convincing “performances” that exploit human reflexes, not just technical weaknesses. These complex, multi-step attacks highlight the need for advanced security, behavioral analysis, and ongoing user education.
