Click-Fix Attacks Now Using Fake Blue Screen of Death

The ClickFix social engineering technique has gained significant popularity across the threat landscape since it emerged in 2025. It leverages fake error dialog boxes to deceive users into manually executing malicious PowerShell commands. This technique is commonly delivered through compromised websites, malicious documents, HTML attachments, or phishing URLs, and has been associated with a wide range of malware families, including AsyncRAT, DarkGate, NetSupport, and Lumma Stealer.

More recently, threat researchers have identified a clever evolution of this technique targeting the hospitality sector. This campaign combines ClickFix lures with fake CAPTCHA prompts and counterfeit Blue Screen of Death (BSOD) messages to manipulate users into pasting attacker-controlled code. This approach enables defense evasion and ultimately results in the deployment of the Russian-linked DCRat malware.

What’s Notable and Unique

• This latest campaign leverages phishing emails impersonating Booking.com, using Euro-denominated reservation cancellation charges to create urgency and direct victims to fraudulent websites.
• These websites use fake CAPTCHA challenges and counterfeit BSOD messages as social engineering lures, targeting hospitality organizations, particularly European entities, during the peak holiday season.
• This social engineering technique ultimately deceives users into executing malicious code that abuses MSBuild.exe to deploy a Russian-linked DCRat payload, enabling persistent remote access, process hollowing, keylogging, and secondary payload delivery.

Analyst Comments

ClickFix social engineering techniques continue to evolve, with earlier-identified variants like FileFix using sophisticated methods that trick users into copying malicious scripts, which are then executed through Windows File Explorer. The latest campaign now employs fake BSOD prompts to deceive victims and deploy DCRat malware, underscoring the importance of vigilance against emerging social engineering threats. To defend against these attacks, organizations should provide ongoing employee training to recognize and respond to social engineering techniques, ensure software is downloaded only from trusted sources, and restrict PowerShell usage to privileged administrators.

Sources

• Analyzing PHALT#BLYX: How Fake BSODs and Trusted Build Tools Are Used to Construct a Malware Infection
• Think before you Click(Fix): Analyzing the ClickFix social engineering technique