Analyzing PHALT#BLYX: How Fake BSODs and Trusted Build Tools Are Used to Construct a Malware Infection

    Wednesday, January 7, 2026 In: Threat Research Print

    Date: 01/07/2026

    Severity: Medium

    Summary

    PHALT#BLYX is a multi-stage malware campaign targeting the hospitality sector that relies on click-fix social engineering, fake CAPTCHAs, and fake BSOD pages delivered via Booking.com–themed phishing lures. Victims are tricked into executing malicious PowerShell commands, after which the attack abuses trusted tools like MSBuild.exe to deploy a heavily obfuscated DCRat payload, enabling persistent remote access, keylogging, and secondary payload delivery, with indicators pointing to Russian-linked threat actors targeting European organizations.

    Indicators of Compromise (IOC) List

    Urls/Domains

    Oncameraworkout.com/ksbo 

    low-house.com

    http://2fa-bns.com

    asj77.com

    asj88.com

    asj99.com

    wmk77.com

    8eh18dhq9wd.click

    IP Address

    194.169.163.140

    193.221.200.233

    13.223.25.84

    Hash

    cd3604fb9fe210261de11921ff1bea0a7bf948ad477d063e17863cede1fadc41

    13b25ae54f3a28f6d01be29bee045e1842b1ebb6fd8d6aca23783791a461d9dd

    9fac0304cfa56ca5232f61034a796d99b921ba8405166743a5d1b447a7389e4f

    cd3604fb9fe210261de11921ff1bea0a7bf948ad477d063e17863cede1fadc41

    9fc15d50a3df0ac7fb043e098b890d9201c3bb56a592f168a3a89e7581bc7a7d

    bf374d8e2a37ff28b4dc9338b45bbf396b8bf088449d05f00aba3c39c54a3731

    11c1cfce546980287e7d3440033191844b5e5e321052d685f4c9ee49937fa688

    07845fcc83f3b490b9f6b80cb8ebde0be46507395d6cbad8bc57857762f7213a

    08037de4a729634fa818ddf03ddd27c28c89f42158af5ede71cf0ae2d78fa198

    2f3d0c15f1c90c5e004377293eaac02d441eb18b59a944b2f2b6201bb36f0d63

    33f0672159bb8f89a809b1628a6cc7dddae7037a288785cff32d9a7b24e86f4b

    6bd31dfd36ce82e588f37a9ad233c022e0a87b132dc01b93ebbab05b57e5defd

    1f520651958ae1ec9ee788eefe49b9b143630c340dbecd5e9abf56080d2649de

    9c891e9dc6fece95b44bb64123f89ddeab7c5efc95bf071fb4457996050f10a0

    e68a69c93bf149778c4c05a3acb779999bc6d5bcd3d661bfd6656285f928c18e

    18c75d6f034a1ed389f22883a0007805c7e93af9e43852282aa0c6d5dafaa970

    91696f9b909c479be23440a9e4072dd8c11716f2ad3241607b542b202ab831ce

    Filenames

    %ProgramData%\v.proj

    %ProgramData%\staxs.exe

    C:\Windows\Temp\tybd7.exe

    %Startup%\DeleteApp.url

    %Startup%\update.lnk

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 :

    domainname like "asj77.com" or siteurl like "asj77.com" or url like "asj77.com" or domainname like "asj99.com" or siteurl like "asj99.com" or url like "asj99.com" or domainname like "low-house.com" or siteurl like "low-house.com" or url like "low-house.com" or domainname like "8eh18dhq9wd.click" or siteurl like "8eh18dhq9wd.click" or url like "8eh18dhq9wd.click" or domainname like "http://2fa-bns.com" or siteurl like "http://2fa-bns.com" or url like "http://2fa-bns.com" or domainname like "asj88.com" or siteurl like "asj88.com" or url like "asj88.com" or domainname like "wmk77.com" or siteurl like "wmk77.com" or url like "wmk77.com" or domainname like "Oncameraworkout.com/ksbo" or siteurl like "Oncameraworkout.com/ksbo" or url like "Oncameraworkout.com/ksbo"

    Detection Query 2 :

    dstipaddress IN ("194.169.163.140","193.221.200.233","13.223.25.84") or srcipaddress IN ("194.169.163.140","193.221.200.233","13.223.25.84")

    Detection Query 3 :

    sha256hash IN ("07845fcc83f3b490b9f6b80cb8ebde0be46507395d6cbad8bc57857762f7213a","cd3604fb9fe210261de11921ff1bea0a7bf948ad477d063e17863cede1fadc41","11c1cfce546980287e7d3440033191844b5e5e321052d685f4c9ee49937fa688","33f0672159bb8f89a809b1628a6cc7dddae7037a288785cff32d9a7b24e86f4b","9c891e9dc6fece95b44bb64123f89ddeab7c5efc95bf071fb4457996050f10a0","18c75d6f034a1ed389f22883a0007805c7e93af9e43852282aa0c6d5dafaa970","1f520651958ae1ec9ee788eefe49b9b143630c340dbecd5e9abf56080d2649de","13b25ae54f3a28f6d01be29bee045e1842b1ebb6fd8d6aca23783791a461d9dd","6bd31dfd36ce82e588f37a9ad233c022e0a87b132dc01b93ebbab05b57e5defd","bf374d8e2a37ff28b4dc9338b45bbf396b8bf088449d05f00aba3c39c54a3731","9fc15d50a3df0ac7fb043e098b890d9201c3bb56a592f168a3a89e7581bc7a7d","91696f9b909c479be23440a9e4072dd8c11716f2ad3241607b542b202ab831ce","9fac0304cfa56ca5232f61034a796d99b921ba8405166743a5d1b447a7389e4f","cd3604fb9fe210261de11921ff1bea0a7bf948ad477d063e17863cede1fadc41","08037de4a729634fa818ddf03ddd27c28c89f42158af5ede71cf0ae2d78fa198","2f3d0c15f1c90c5e004377293eaac02d441eb18b59a944b2f2b6201bb36f0d63","e68a69c93bf149778c4c05a3acb779999bc6d5bcd3d661bfd6656285f928c18e")

    Detection Query 4 :

    resourcename = "Windows Security" AND eventtype = "4663" AND objectname IN ("%ProgramData%\v.proj","%ProgramData%\staxs.exe","C:\Windows\Temp\tybd7.exe","%Startup%\DeleteApp.url","%Startup%\update.lnk")

    Detection Query 5 :

    technologygroup = "EDR" AND objectname IN ("%ProgramData%\v.proj","%ProgramData%\staxs.exe","C:\Windows\Temp\tybd7.exe","%Startup%\DeleteApp.url","%Startup%\update.lnk")

    Reference: 

    https://www.securonix.com/blog/analyzing-phaltblyx-how-fake-bsods-and-trusted-build-tools-are-used-to-construct-a-malware-infection/


    Tags

    MalwareThreat ActorClickFixSocial EngineeringPhishingRATKeyloggerRussiaEuropeHealthcare and Public Health

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2026 by Gurucul - All rights reserved.