Campaigns
Inside the PHALT#BLYX Campaign: How Fake BSODs and Trusted Build Tools Enable Malware Deployment

Inside the PHALT#BLYX Campaign: How Fake BSODs and Trusted Build Tools Enable Malware Deployment

ClickFixFakeBSoDFakeCAPTCHABookingPhish
Securonix researchers have identified a covert campaign targeting the hospitality sector that utilizes "click-fix" social engineering, fake CAPTCHAs, and simulated BSoD screens to manipulate users into executing malicious code. The attack exploits the trusted MSBuild.exe tool to evade security defenses and installs the Russian-linked DCRat, facilitating full remote access and the delivery of additional payloads.

Indicators of Compromise

low-house.com
2fa-bns.com
oncameraworkout.com
asj88.com
asj77.com
8eh18dhq9wd.click
wmk77.com
asj99.com

Campaign Guidance

Remediation, mitigation, notes, history and related intelligence

REMEDIATION


T1055 - Process Injection


ID

Name

Analytic ID

Analytic Description

DET0508

Behavioral Detection of Process Injection Across Platforms

AN1399

Detects process injection by correlating memory manipulation API calls (e.g., VirtualAllocEx, WriteProcessMemory), suspicious thread creation (e.g., CreateRemoteThread), and unusual DLL loads within another process's context.

AN1400

Detects ptrace- or memfd-based process injection through audit logs capturing system calls (e.g., ptrace, mmap) targeting running processes along with suspicious file descriptors or memory writes.

AN1401

Detects memory-based injection by monitoring task_for_pid, mach_vm_write, and dylib injection patterns through DYLD_INSERT_LIBRARIES or manual memory mapping.



T1059 - Command and Scripting Interpreter


ID

Name

Analytic ID

Analytic Description

DET0516

Behavioral Detection of Command and Scripting Interpreter Abuse

AN1428

Detects the execution of scripting or command interpreters (e.g., powershell.exe, cmd.exe, wscript.exe) outside expected administrative time windows or from abnormal user contexts, often followed by encoded/obfuscated arguments or secondary execution events.

AN1429

Detects use of shell interpreters (e.g., bash, sh, python, perl) initiated by users or processes not normally executing them, especially when chaining suspicious utilities like netcat, curl, or ssh.

AN1430

Detects launch of command-line interpreters via Terminal, Automator, or hidden osascript, especially when parent process lineage deviates from user-initiated applications.

AN1431

Detects use of 'esxcli system' or direct interpreter commands (e.g., busybox shell) invoked from SSH or host terminal unexpectedly.

AN1432

Identifies CLI interpreter access (e.g., Cisco IOS, Juniper JUNOS) via enable mode or scripting-capable sessions used by uncommon accounts or from unknown IPs.


T1095 - Non-Application Layer Protocol


ID

Name

Analytic ID

Analytic Description

DET0457

Detection of Non-Application Layer Protocols for C2

AN1254

Anomalous use of ICMP or UDP by non-network service processes for data exfiltration or remote control, especially if traffic bypasses proxy infrastructure or shows unusual flow patterns.

AN1255

ICMP or raw socket traffic generated by user-mode processes like bash, Python, or nc, typically using ping, hping3, or crafted packets via libpcap or scapy.

AN1256

Unsigned binaries or interpreted scripts initiating non-standard protocols (ICMP, UDP, SOCKS) outside of baseline network behavior.

AN1257

VMCI (Virtual Machine Communication Interface) traffic between guest and host, or between VMs, originating from non-management tools or unauthorized binaries.

AN1258

Non-standard port/protocol pairings or low-entropy ICMP traffic resembling tunneling patterns (e.g., fixed-size pings with delays).


T1127 - Trusted Developer Utilities Proxy Execution


ID

Name

Analytic ID

Analytic Description

DET0172

Behavior-chain, platform-aware detection strategy for T1127 Trusted Developer Utilities Proxy Execution (Windows)

AN0488

A trusted/signed developer utility (parent) is executed in a non-developer context and (a) spawns suspicious children (e.g., powershell.exe, cmd.exe, rundll32.exe, regsvr32.exe, wscript.exe), (b) loads unsigned/user-writable DLLs, (c) writes and then runs a new PE from user-writable paths, and/or (d) immediately makes outbound network connections.


T1204 - User Execution


ID

Name

Analytic ID

Analytic Description

DET0478

User Execution – multi-surface behavior chain (documents/links → helper/unpacker → LOLBIN/child → egress)

AN1314

Cause→effect chain: (1) User-facing app (Office/PDF/archiver/browser) records an open/click or abnormal event, then (2) a downloaded file is created in a user-writable path and/or decompressed, (3) the parent user app spawns a living-off-the-land binary (e.g., powershell/cmd/mshta/rundll32/msiexec/wscript/expand/zip) or installer, and (4) immediate outbound HTTP(S)/DNS/SMB from the same lineage.

AN1315

Cause→effect chain: (1) User app/browser/archiver logs an open/click or abnormal exit, (2) new executable/script/archive extracted into $HOME/Downloads, /tmp, or ~/.cache, (3) parent app spawns shell/interpreter (bash/sh/python/node/curl/wget) or desktop file, and (4) new outbound connection(s) from the child lineage.

AN1316

Cause→effect chain: (1) unified logs show application open/click or crash for Safari/Chrome/Office/Preview/archiver, (2) file write/extraction into ~/Downloads, /private/var/folders/* or ~/Library, (3) parent app spawns osascript/bash/zsh/curl/python or opens a quarantined app with Gatekeeper prompts, (4) network egress from child.

AN1317

Cause→effect chain in CI/dev desktops: (1) user triggers container run/pull after opening a doc/link/script, (2) newly created image/container uses unexpected external registry or entrypoint, (3) container starts and immediately egresses to suspicious destinations.

AN1318

Cause→effect chain in cloud consoles: (1) user clicks link then invokes instance/image creation via API, (2) instance/image originates from external AMI or unknown image, (3) instance immediately egresses or retrieves payloads.


T1547 - Boot or Logon Autostart Execution


ID

Name

Analytic ID

Analytic Description

DET0274

Boot or Logon Autostart Execution Detection Strategy

AN0764

Correlation of registry key modification for Run/RunOnce with abnormal parent-child process relationships and outlier execution at user logon or system startup

AN0765

Correlates creation/modification of systemd service files or /etc/init.d scripts with outlier process behavior during boot

AN0766

Observes creation or modification of LaunchAgent/LaunchDaemon property list files combined with anomalous plist payload execution after user logon


T1562 - Impair Defenses


ID

Name

Analytic ID

Analytic Description

DET0317

Detection Strategy for Impair Defenses Across Platforms

AN0886

Unusual service stop events, termination of AV/EDR processes, registry modifications disabling security tools, and firewall/defender configuration changes. Correlate process creation with service stop requests and registry edits.

AN0887

Execution of commands that stop or kill processes associated with logging or security daemons (auditd, syslog, falco). Detect modifications to iptables or disabling SELinux/AppArmor enforcement. Correlate sudo/root context with abrupt service halts.

AN0888

Execution of commands or APIs that disable Gatekeeper, XProtect, or system integrity protections. Detect configuration changes through unified logs. Monitor termination of system security daemons (e.g., syspolicyd).

AN0889

Modification of container runtime security profiles (AppArmor, seccomp) or removal of monitoring agents within containers. Detect unauthorized mounting/unmounting of host /proc or /sys to disable logging or auditing.

AN0890

Unusual ESXi shell commands disabling syslog forwarding or stopping hostd/vpxa daemons. Detect modifications to firewall rules on ESXi host or disabling of lockdown mode.

AN0891

Cloud control plane actions disabling security services (CloudTrail logging, GuardDuty, Security Hub). Detect IAM role abuse correlating with service disable events.

AN0892

Changes to security configurations such as disabling MFA requirements, reducing session token lifetimes, or turning off risk-based policies. Correlate admin logins with sudden policy downgrades.

AN0893

Execution of commands disabling AAA, logging, or security features on routers/switches. Detect privilege escalation followed by config changes that disable defense mechanisms.

AN0894

Disabling of security macros or safe mode settings within Word/Excel/Outlook. Detect registry edits or configuration file changes that weaken macro enforcement.


T1566 - Phishing


ID

Name

Analytic ID

Analytic Description

DET0070

Detection Strategy for Phishing across platforms.

AN0188

Unusual inbound email activity where attachments or embedded URLs are delivered to users followed by execution of new processes or suspicious document behavior. Detection involves correlating email metadata, file creation, and network activity after a phishing message is received.

AN0189

Monitor for malicious payload delivery through phishing where attachments or URLs in email clients (e.g., Thunderbird, mutt) result in unusual file creation or outbound network connections. Focus on correlation between mail logs, file writes, and execution activity.

AN0190

Detection of phishing through anomalous Mail app activity, such as attachments saved to disk and immediately executed, or Safari/Preview launching URLs and files linked from email messages. Correlate UnifiedLogs events with subsequent process execution.

AN0191

Phishing via Office documents containing embedded macros or links that spawn processes. Detection relies on correlating Office application logs with suspicious child process execution and outbound network connections.

AN0192

Phishing attempts targeting IdPs often manifest as anomalous login attempts from suspicious email invitations or fake SSO prompts. Detection correlates login flows, MFA bypass attempts, and anomalous geographic patterns following phishing email delivery.

AN0193

Phishing delivered via SaaS services (chat, collaboration platforms) where messages contain malicious URLs or attachments. Detect anomalous link clicks, suspicious file uploads, or token misuse after SaaS-based phishing attempts.


T1036 - Masquerading

ID

Name

Analytic ID

Analytic Description

DET0127

Behavioral Detection of Masquerading Across Platforms via Metadata and Execution Discrepancy

AN0355

Adversary renames LOLBINs or deploys binaries with spoofed file names, internal PE metadata, or misleading icons to appear legitimate. File creation is followed by execution or service registration inconsistent with known usage.

AN0356

Adversary drops renamed binaries in uncommon directories (e.g., /tmp, /dev/shm) or uses special characters in names (e.g., trailing space, Unicode RLO). Execution or cronjob registration follows shortly after file drop.

AN0357

Adversary creates disguised launch daemons or apps with misleading names and bundle metadata (e.g., Info.plist values inconsistent with binary path or icon). Launch is correlated with user logon or persistence setup.

AN0358

Adversary uses renamed container images, injects files into containers with misleading names or metadata (e.g., renamed system binaries), and executes them during startup or scheduled jobs.

AN0359

Adversary places scripts or binaries with misleading names in /etc/rc.local.d or /var/spool/cron, or registers services with legitimate-sounding names not present in default ESXi builds.


T1119 - Automated Collection

ID

Name

Analytic ID

Analytic Description

DET0186

Automated File and API Collection Detection Across Platforms

AN0531

Automated execution of native utilities and scripts to discover, enumerate, and exfiltrate files and clipboard content. Focus is on detecting repeated file access, scripting engine use, and use of command-line utilities commonly leveraged by collection scripts.

AN0532

Repeated or automated access to user document directories or clipboard using shell scripts or utilities like xclip/pbpaste. Detectable via auditd syscall logs or osquery file events.

AN0533

Use of pbpaste, AppleScript, or third-party automation frameworks (e.g., Automator) to collect clipboard or file content in bursts. Observable via unified logs.

AN0534

Suspicious sign-ins to Graph API or sensitive resources using non-browser scripting agents (e.g., Python, PowerShell), often for programmatic access to mailbox or OneDrive content.


T1134 - Access Token Manipulation


ID

Name

Analytic ID

Analytic Description

DET0283

Behavior-chain detection for T1134 Access Token Manipulation on Windows

AN0786

Detection of suspicious token manipulation chains: use of token-related APIs (e.g., LogonUser, DuplicateTokenEx) or commands (runas) → spawning of a new process under a different security context (e.g., SYSTEM) → mismatched parent-child process lineage or anomalies in Event Tracing for Windows (ETW) token/PPID data → abnormal lateral or privilege escalation activity.


T1056 - Input Capture


ID

Name

Analytic ID

Analytic Description

DET0102

Behavioral Detection of Input Capture Across Platforms

AN0282

Monitors for abnormal process behavior and API calls like SetWindowsHookEx, GetAsyncKeyState, or device input polling commonly used for keystroke logging.

AN0283

Detects use of tools/scripts accessing input devices like /dev/input/* or evdev via suspicious processes lacking GUI context.

AN0284

Monitors for TCC-bypassing or unauthorized access to input services like IOHIDSystem or Quartz Event Services used in keylogging or screen monitoring.

AN0285

Detects web-based credential phishing by analyzing traffic to suspicious URLs that mimic login portals and POST credential content.


T1113 - Screen Capture


ID

Name

Analytic ID

Analytic Description

DET0346

Detect Screen Capture via Commands and API Calls

AN0980

Unusual use of screen capture APIs (e.g., CopyFromScreen) or command-line tools to write image files to disk.

AN0981

Invocation of built-in commands like screencapture or use of undocumented APIs from suspicious parent processes.

AN0982

Use of tools like xwd or import to generate screenshots, especially under non-GUI parent processes.


T1115 - Clipboard Data


ID

Name

Analytic ID

Analytic Description

DET0341

Clipboard Data Access with Anomalous Context

AN0965

Detection of clipboard access via OS utilities (e.g., clip.exe, Get-Clipboard) by non-interactive or abnormal parent processes, potentially chained with staging or exfiltration commands.

AN0966

Detection of pbpaste/pbcopy clipboard access by processes without terminal sessions or linked to launch agents, potentially staged for collection.

AN0967

Detection of xclip or xsel access to clipboard buffers outside of user terminal context, especially when chained to staging (gzip, base64) or network exfiltration (curl, scp).


T1027 - Obfuscated Files or Information


ID

Name

Analytic ID

Analytic Description

DET0378

Behavioral Detection of Obfuscated Files or Information

AN1064

Correlates script execution or suspicious parent processes with creation or modification of encoded, compressed, or encrypted file formats (e.g., .zip, .7z, .enc) and abnormal command-line syntax or PowerShell obfuscation.

AN1065

Detects use of gzip, base64, tar, or openssl in scripts or commands that encode/encrypt files after file staging or system enumeration.

AN1066

Monitors use of archive or encryption tools (zip, openssl) tied to user-scripted activity or binaries writing encoded payloads under /Users or /Volumes.

AN1067

Identifies transfer of base64, uuencoded, or high-entropy files over HTTP, FTP, or custom protocols in lateral movement or exfiltration streams.

AN1068

Detects encoded PowerCLI or Base64-encoded payloads staged via datastore uploads or shell access (e.g., ESXi Shell or backdoored VIBs).


T1548 - Abuse Elevation Control Mechanism


ID

Name

Analytic ID

Analytic Description

DET0345

Detection Strategy for Abuse Elevation Control Mechanism (T1548)

AN0975

Correlate registry modifications (e.g., UAC bypass registry keys), unusual parent-child process relationships (e.g., control.exe spawning cmd.exe), and unsigned elevated process executions with non-standard tokens or elevation flags.

AN0976

Monitor audit logs for setuid/setgid bit changes, executions where UID ≠ EUID (indicative of sudo or privilege escalation), and high-integrity binaries launched by unprivileged users.

AN0977

Detect execution of /usr/libexec/security_authtrampoline or use of AuthorizationExecuteWithPrivileges API, and monitor process lineage for unusual launches of GUI apps with escalated privileges.

AN0978

Monitor for unexpected privilege elevation operations via SAML assertion manipulation, role injection, or changes to identity mappings that result in access escalation.

AN0979

Detect sudden privilege escalations such as IAM role changes, user-assigned privilege boundaries, or elevation via assumed roles beyond normal behavior.


T1560 - Archive Collected Data


ID

Name

Analytic ID

Analytic Description

DET0526

Detect Archiving and Encryption of Collected Data (T1560)

AN1458

Detects adversarial archiving of files prior to exfiltration by correlating execution of compression/encryption utilities (e.g., makecab.exe, rar.exe, 7z.exe, powershell Compress-Archive) with subsequent creation of large compressed or encrypted files. Identifies abnormal process lineage involving crypt32.dll usage, command-line arguments invoking compression switches, and file write operations to temporary or staging directories.

AN1459

Detects adversarial archiving activity through invocation of utilities like tar, gzip, bzip2, or openssl used in non-administrative or unusual contexts. Correlates command execution patterns with file creation of compressed/encrypted outputs in staging directories (e.g., /tmp, /var/tmp).

AN1460

Detects use of macOS-native archiving or encryption tools (zip, ditto, hdiutil) for staging collected data. Identifies unexpected invocation of archive utilities by Office apps, browsers, or background daemons. Correlates file creation of .zip/.dmg containers with process lineage anomalies.

Observed Countries8

DE (715)
ES (475)
FR (328)
GB (34)
GR (109)
IT (838)
NL (338)
PT (525)