#CyberWeekly

Late December: A phishing campaign dubbed PHALT#BLYX hit the European hospitality sector with fake Booking.com reservation cancellations. Securonix researchers tracked the multi-stage operation, which deploys the DCRat remote access trojan through an unusually creative infection chain.

Here's how it works:

• Phishing email — arrives as a Booking.com cancellation notice with charges exceeding €1,000, creating urgency
• Fake website — victim clicks through to a convincing Booking.com clone
• Fake CAPTCHA → Fake Blue Screen — the site shows a CAPTCHA that leads to a simulated Windows "Blue Screen of Death"
• ClickFix trick — victim is told to "fix" the error by pasting a command into the Windows Run dialog
• PowerShell → MSBuild.exe — the pasted script downloads a project file that uses Microsoft's trusted MSBuild tool to bypass defenses
• DCRat deploys — a Russian-linked remote access trojan that steals passwords, clipboard data, and drops secondary payloads

What makes this campaign dangerous: it abuses legitimate Windows tools to slip past antivirus. The malware disables Windows Defender, adds exclusions for common file types, and uses Internet Shortcut files for persistence — a technique less monitored than registry changes.

For Belgian hospitality businesses: this is not hypothetical. Prices in the phishing emails are shown in euros. Cyrillic debug strings point to Russian-speaking actors targeting specifically European hotels. Train your front desk and reservations staff: never paste code into the Windows Run dialog. If a "Booking.com" email asks you to fix a computer error, it's an attack. Verify through official channels. And review your incident response plan — attacks like this exploit trust, not technical vulnerabilities.

This was our biggest platform update yet. CyFun Basic — 34 CyberFundamentals controls — is now live on Easy Cyber Protection.

• 34 Basic controls — the complete CyberFundamentals Basic tier, each mapped to real actions you can take. No more spreadsheets or PDF checklists.
• Progressive onboarding — a step-by-step wizard guides you through your first controls. Pick your tier, set your context, and start checking things off.
• Checklist-based compliance — each control is a clear yes/no question. Are you doing this? Check it off. Not yet? You know what to focus on next.
• Pricing & upgrade system — transparent pricing with a clear upgrade path. Start free, upgrade when you're ready for more controls.
• Upgrade modal — smooth in-app flow to move from Basic to higher tiers as your security matures.

This is the foundation of everything we're building. The CyberFundamentals framework gives Belgian SMEs a structured, achievable path to compliance — and now it lives in a tool you can actually use, not a document you'll never read.

January 5: Hardware wallet maker Ledger confirmed that customer data was exposed through a breach at Global-e, its third-party payment processor. The attack didn't touch Ledger's platform, hardware, or software — it targeted the company that handles checkout and international orders.

What was exposed:

• Names and contact information from online orders
• Order details including products purchased and prices
• No payment data — no card numbers, no credentials
• No crypto access — seed phrases, blockchain balances, and digital assets were never at risk

Here's the real story: Global-e serves Adidas, Disney, Netflix, Hugo Boss, and dozens more. Ledger wasn't the only victim. When your vendor's vendor gets hacked, everyone in the chain feels it.

This is Ledger's third data incident — after a 2020 Shopify breach (270K customers) and a 2023 crypto heist ($500K). The hardware stays secure, but the business operations keep getting hit. The lesson for every SME: your security is only as strong as your weakest supplier. When was the last time you reviewed what data your vendors hold about your customers? That's a question the CyberFundamentals framework helps you answer.

January 2: Two U.S. cybersecurity professionals pleaded guilty to running ransomware attacks using the ALPHV/BlackCat platform. This is one of the rarest things in cybercrime: actual names and faces behind a major ransomware operation.

The defendants:

• Ryan Goldberg, 40, Georgia — worked as an incident response supervisor at Sygnia, an Israeli-owned cybersecurity firm
• Kevin Martin, 36, Texas — worked as a ransomware threat negotiator at DigitalMint, a threat intel and incident response company

Let that sink in: one was paid to respond to ransomware attacks. The other was paid to negotiate ransomware payments. Both used their expertise to run the attacks themselves.

Between April and December 2023, they targeted five U.S. companies — a medical device maker, a pharmaceutical firm, a doctor's office, an engineering company, and a drone manufacturer. They paid ALPHV's operators 20% of ransoms and split the rest. Total losses exceeded $9.5 million.

ALPHV/BlackCat is the group behind the Change Healthcare attack that disrupted U.S. pharmacy operations for weeks. The FBI disrupted the group in December 2023, and its operators pulled an exit scam in early 2024 — keeping a $22 million ransom for themselves.

The insider threat is real. Not every attacker is sitting in a basement overseas. Some hold security clearances, incident response certifications, and your trust. Sentencing is March 12, 2026 — up to 20 years each.