A new ClickFix campaign targets the hospitality sector in Europe, using fake Windows BSOD screens to trick users into executing malware. Attackers send phishing emails impersonating Booking.com, leading victims to a convincing fake website that prompts them to run malicious commands. Once executed, the malware grants remote access and can spread within the network.

This article details a vulnerability in Triofox that allowed unauthenticated remote access, enabling attackers to bypass authentication and execute arbitrary code. Mandiant discovered that this flaw was exploited by a threat group, allowing them to create admin accounts and run malicious scripts. The issue has been patched in newer versions of the software.

Threat actors are exploiting the ConnectWise ScreenConnect installer to create signed remote access malware through a method called authenticode stuffing, which alters hidden settings in the software's digital signature. This has led to infections reported via phishing attacks that trick users into downloading malicious executables disguised as legitimate software. ConnectWise has since revoked the certificate used for these binaries, but the campaign highlights the risks of using modified enterprise tools.