""For initial access, the threat actors utilize a fake Booking.com reservation cancellation lure to trick victims into executing malicious PowerShell commands, which silently fetch and execute remote code," researchers Shikha Sangwan, Akshay Gaikwad, and Aaron Beardslee said. The starting point of the attack chain is a phishing email impersonating Booking.com that contains a link to a fake website (e.g., "low-house[.]com")."
""Specifically, this entails a multi-step process that commences with the PowerShell dropper downloading an MSBuild project file ("v.proj") from "2fa-bns[.]com", which is then executed using "MSBuild.exe" to run an embedded payload responsible for configuring Microsoft Defender Antivirus exclusions to evade detection, setting up persistence on the host in the Startup folder, and launching the RAT malware after downloads it from the same location as the MSBuild project.""
PHALT#BLYX targets the European hospitality sector using ClickFix-style lures that present fake blue screen of death errors. The campaign begins with a phishing email impersonating Booking.com directing victims to a fake site (e.g., low-house[.]com) that serves a counterfeit CAPTCHA and a bogus BSoD page with instructions to paste a command into the Windows Run dialog. The pasted command launches a PowerShell dropper that downloads an MSBuild project (v.proj) from 2fa-bns[.]com and executes it via MSBuild.exe. The embedded payload configures Microsoft Defender exclusions, establishes persistence in the Startup folder, downloads and launches the DCRat RAT, and can disable Defender if run with administrator privileges. Activity was detected in late December 2025.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]