A new ClickFix campaign targets the hospitality sector in Europe, using fake Windows BSOD screens to trick users into executing malware. Attackers send phishing emails impersonating Booking.com, leading victims to a convincing fake website that prompts them to run malicious commands. Once executed, the malware grants remote access and can spread within the network.

Threat actors are exploiting the ConnectWise ScreenConnect installer to create signed remote access malware through a method called authenticode stuffing, which alters hidden settings in the software's digital signature. This has led to infections reported via phishing attacks that trick users into downloading malicious executables disguised as legitimate software. ConnectWise has since revoked the certificate used for these binaries, but the campaign highlights the risks of using modified enterprise tools.