Threat Research

Probing the DNS Depths of PHALT#BLYX

CircleID
Probing the DNS Depths of PHALT#BLYX

Securonix and follow-up analysis detail a stealthy PHALT#BLYX campaign that used phishing, fake CAPTCHAs, and fake BSOD pages to deliver DCRat and gain full remote access to infected systems. The investigation expanded the original 11 IoCs to 12 (one URL, eight domains, three IPs) and uncovered thousands of potential victim IPs and tens of thousands of email-connected domains tied to the campaign. #DCRat #PHALT_BLYX

Keypoints

  • PHALT#BLYX targeted primarily the European hospitality sector using phishing emails that redirected victims to fake booking[.]com CAPTCHA pages.
  • Social-engineering tricks (fake CAPTCHAs and fake BSOD pages) were used to convince users to execute or download a payload that silently dropped DCRat.
  • Initial Securonix reporting listed 11 IoCs (1 URL, 7 domains, 3 IPs); further analysis extracted one additional domain for a total of 12 IoCs (1 URL, 8 domains, 3 IPs).
  • Analysis showed three domains identified as IoCs were flagged as malicious 28–177 days before the report, and historical DNS/WHOIS data suggested some domains were reregistered for campaign use.
  • Network telemetry revealed 7,099 unique potential victim IPs communicated with two IoC IPs, and two IoC IPs recorded 1,015 historical IP-to-domain resolutions.
  • WHOIS-history and Reverse WHOIS queries produced 21,638 email-connected domains (four already weaponized) and linked multiple public emails to historical registrations used by the campaign.

MITRE Techniques

  • [T1566.002 ] Phishing: Link – Attackers sent phishing emails that led victims to a fake booking[.]com CAPTCHA page to lure clicks and downloads (‘sending phishing emails to mostly European users’).
  • [T1204 ] User Execution – Social-engineering tactics induced users to execute or accept content that resulted in payload delivery (‘trick users into downloading DCRat’ and ‘Those who fell for the ruse then saw a fake BSOD page while DCRat was silently dropped onto their systems.’).
  • [T1105 ] Ingress Tool Transfer – The malicious payload (DCRat) was transferred to victim hosts from attacker-controlled infrastructure (‘DCRat was silently dropped onto their systems’).
  • [T1219 ] Remote Access Tools – The deployed DCRat provided attackers full remote access to infected systems for control and secondary payload deployment (‘take full remote access to infected systems and drop secondary payloads’).

Indicators of Compromise

  • [URL ] distribution/impersonation – 2fa-bns (site name from the identified IoC URL; associated with malware distribution since 17 December 2025)
  • [Domain ] campaign infrastructure and typosquats – asj88[.]com, asj99[.]com, and 6 more domains (8 domains analyzed in total; historical resolutions and registrar data suggest reregistration and typosquatting activity)
  • [IP address ] infrastructure IPs – 194[.]169[.]163[.]140 and two other IoC IPs (3 IoC IPs in total; two recorded 1,015 historical IP-to-domain resolutions)
  • [Email-connected domains ] domains linked via historical WHOIS emails – cp57[.]top (weaponized 9 March 2023–14 January 2026) and 21,637 additional email-connected domains discovered after filtering
  • [Victim IP addresses ] potential victims communicating with IoCs – 7,099 unique potential victim IPs observed communicating with two IoC IPs (examples not enumerated in the report)

Read more: https://circleid.com/posts/probing-the-dns-depths-of-phaltblyx

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint