Blue Screen of Death Archives

Winsage

January 14, 2026

Windows 2000 rusts in peace by the sea

A ticket machine at Comboios de Portugal is malfunctioning, running on Windows 2000, which has caused the system to freeze and made card payments unavailable. The issue appears to be related to the software rather than hardware failures. Despite the machine's wear and tear, there is currently no Blue Screen of Death. The situation highlights a decline in rail travel in Portugal as travelers increasingly prefer express bus services.

Winsage

January 7, 2026

Hackers Use Fake Windows BSOD To Spread Malware

Security researchers have identified a social engineering campaign that mimics the Windows Blue Screen of Death (BSOD) to deceive users into installing a remote access Trojan (RAT). The campaign, named PHALT#BLYX, begins with phishing emails that appear to be legitimate cancellation notices from travel websites, leading victims to a fake login page and an interactive CAPTCHA. This culminates in a full-screen imitation of the BSOD, prompting users to follow instructions that ultimately allow attackers to gain control of their computers. The attackers use a “ClickFix” process that involves executing commands through native Windows tools like PowerShell and MSBuild, making detection more challenging. The malware delivered is an obfuscated version of DCRat, which provides attackers with remote control capabilities, keylogging, and the ability to download additional malware. The campaign primarily targets hotels and hospitality businesses in Europe, exploiting the urgency of front-desk staff to respond to apparent technical issues. Indicators of a fake BSOD include the ability to interact with the screen, requests to execute commands via Windows tools, and the presence of CAPTCHA prompts. Organizations are advised to train employees, implement application control, enhance email and web defenses, and prepare for incident response to mitigate risks associated with such attacks.

Winsage

January 6, 2026

ClickFix attack uses fake Windows BSOD screens to push malware

A new social engineering attack campaign called ClickFix is targeting the hospitality sector in Europe, using fake Windows Blue Screen of Death (BSOD) screens to trick users into executing malware. Initially identified in December by Securonix as "PHALT#BLYX," the campaign involves phishing emails that appear to be notifications from Booking.com, often mentioning significant refunds to create urgency. Victims are directed to a counterfeit Booking.com site that mimics the legitimate one and displays a fake error message prompting them to execute a malicious command. This command launches a PowerShell script that downloads and compiles malware known as DCRAT, a remote access Trojan that allows attackers to control infected devices, exfiltrate data, and spread within networks.

Winsage

December 15, 2025

VolkLocker Emerges as a Cross-Platform Ransomware Threat Targeting Linux and Windows

A pro-Russian hacktivist group, CyberVolk, has re-emerged in 2025 with a new ransomware-as-a-service (RaaS) operation called VolkLocker, which targets both Windows and Linux systems using Golang. The group utilizes Telegram bots for command-and-control operations, allowing affiliates to manage ransomware interactions. Despite its advancements, coding errors in the ransomware enable victims to recover encrypted files without paying a ransom. VolkLocker employs AES-256 encryption but has a critical flaw where the master encryption key is hard-coded and saved in plaintext, allowing easy decryption. The ransomware also ensures persistence by replicating itself and disabling essential system tools. CyberVolk offers additional RAT and keylogger add-ons for sale, with complete RaaS packages priced between [openai_gpt model="gpt-4o-mini" prompt="Summarize the content and extract only the fact described in the text bellow. The summary shall NOT include a title, introduction and conclusion. Text: A newly rebooted pro-Russian hacktivist group, CyberVolk, has made a notable comeback in 2025, unveiling a new ransomware-as-a-service (RaaS) operation dubbed VolkLocker, as detailed in recent research by SentinelOne. After a prolonged period of dormancy following extensive bans on Telegram, this group has re-emerged with a Golang-based ransomware solution that targets both Windows and Linux systems. This latest initiative signifies CyberVolk's commitment to revitalizing its operations, showcasing what analysts refer to as the “CyberVolk 2.x” generation of tools. Despite the group's advancements, their integration of sophisticated Telegram-based automation has inadvertently led to coding errors that allow victims to recover their encrypted files without the need to pay a ransom. Telegram-Fueled Automation and Functionality VolkLocker is heavily reliant on Telegram bots for its command-and-control operations, which form the core of its new RaaS model. All interactions between operators and the ransomware's ecosystem, from onboarding new customers to managing victims, are facilitated through a Telegram bot known as CyberVolk_Kbot. This bot provides various commands such as /decrypt, /list, and /status, enabling affiliates to monitor infections and communicate with compromised systems in real time. Operators tasked with creating new ransomware payloads must input several configuration details, including a Bitcoin address, Telegram bot token ID, chat ID, encryption deadline, and file extension. Decryption triggered via backed-up key file This design approach aligns with CyberVolk’s goal of simplifying deployment for affiliates with limited technical skills. The Golang-based payloads, compiled for both Linux and Windows platforms, utilize the “ms-settings” UAC bypass technique (MITRE ATT&CK T1548.002) for privilege escalation. Once operational, VolkLocker performs system reconnaissance, checks for virtual machine environments by matching MAC address prefixes, and strategically excludes key system paths from encryption. Encryption Flaws and System Destruction Features VolkLocker employs AES-256 in Galois/Counter Mode (GCM) for file encryption; however, its encryption design reveals a significant oversight. The master encryption key is hard-coded within the binary and is also saved in a plaintext file named system_backup.key located in the %TEMP% directory. This easily accessible key allows victims to decrypt their files without paying the ransom, highlighting a critical flaw in CyberVolk’s development process. In addition to its encryption capabilities, VolkLocker ensures persistence by replicating itself across multiple directories and disabling essential tools such as Task Manager, Windows Defender, and Command Prompt through registry modifications. It also deletes Volume Shadow Copies and can trigger a Blue Screen of Death (BSOD) using the Windows NtRaiseHardError() function when the countdown timer expires or when incorrect decryption keys are repeatedly entered. Despite these coding missteps, CyberVolk is expanding its offerings, providing RAT and keylogger add-ons for 0 each, along with complete RaaS packages ranging from 0 to ,200. SentinelOne researchers caution that this resurgence underscores how politically motivated groups are increasingly leveraging Telegram infrastructure to commercialize their ransomware operations. Indicators of Compromise: Windows Sample: dcd859e5b14657b733dfb0c22272b82623466321 Linux Sample: 0948e75c94046f0893844e3b891556ea48188608 Bitcoin Wallet: bc1qujgdzl0v82gh9pvmg3ftgnknl336ku26nnp0vy Telegram Bot: 8368663132:AAHBfe3xYPtg1IMynKhQy1BRzuF5UZRZspw Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant Updates" max_tokens="3500" temperature="0.3" top_p="1.0" best_of="1" presence_penalty="0.1" frequency_penalty="frequency_penalty"] and ,200. Indicators of compromise include specific Windows and Linux sample hashes, a Bitcoin wallet address, and a Telegram bot ID.

Winsage

December 4, 2025

Microsoft finds an unlikely ally — Linux developer defends Windows against BSoD jokes

Windows has traditionally held a dominant market share in operating systems, but Linux is gaining traction, particularly after Microsoft ended support for Windows 10 on October 14, 2025. Zorin OS, a Linux distribution, attracted around 780,000 former Windows users within a month of this announcement. Bazzite delivered a petabyte of ISO files in one month, indicating a growing interest among Windows 10 users in alternatives to Windows 11. Linus Torvalds highlighted that many blue screen errors in Windows are linked to hardware issues rather than software bugs and recommended using Error-Correcting Code (ECC) memory for better stability. Microsoft has changed its error reporting from the blue screen of death to a black screen to enhance security and prevent destabilizing updates. There are three types of Blue Screen of Death errors: the Windows 3.1 Ctrl+Alt+Del screen, the Windows 95 kernel error, and the Windows NT kernel error.

AppWizard

December 3, 2025

I’m fed up with gaming on Windows 11 — here’s how Valve’s Steam Machine can fix PC gaming

Microsoft's Xbox Full Screen Experience (FSE) was rolled out to all Windows-based handhelds on November 21, followed by a broader release for gaming rigs and laptops for Windows Insider members. The update process on Windows 11 was slow, causing frustration for users. Accessing the Xbox FSE through various shortcuts was unsuccessful, and the experience was marred by instability and frequent updates. A recent system update (KB5066835) resulted in a significant drop in gaming performance. The author expressed a preference for Linux and SteamOS due to their stability and user-friendly interface compared to Windows. The upcoming Steam Machine is anticipated for its compact design and potential for a hassle-free gaming experience.

Winsage

December 3, 2025

Linus Torvalds Defends Windows’ Blue Screen of Death

Microsoft changed the color of the Blue Screen of Death (BSOD) from blue to black, making it visually similar to Linux's kernel panic screen. Linus Torvalds defended Microsoft's error screens in a video with Linus Sebastian, stating that many issues attributed to Windows instability are often due to unreliable hardware rather than software bugs. He advocates for the use of Error Correction Code (ECC) to enhance hardware reliability, suggesting that many BSOD incidents may stem from hardware issues.

Winsage

November 25, 2025

JackFix Uses Fake Windows Update Pop-Ups on Adult Sites to Deliver Multiple Stealers

Cybersecurity experts have identified a new campaign that combines ClickFix tactics with counterfeit adult websites to trick users into executing harmful commands under the guise of a "critical" Windows security update. This campaign uses fake adult sites, including clones of popular platforms, as phishing mechanisms, increasing psychological pressure on victims. ClickFix-style attacks have risen significantly, accounting for 47% of all attacks, according to Microsoft data. The campaign features convincing fake Windows update screens that take over the user's screen and instruct them to execute commands that initiate malware infections. The attack begins when users are redirected to a fake adult site, where they encounter an "urgent security update." The counterfeit Windows Update screen is created using HTML and JavaScript, and it attempts to prevent users from escaping the alert. The initial command executed is an MSHTA payload that retrieves a PowerShell script from a remote server, which is designed to deliver multiple payloads, including various types of malware. The downloaded PowerShell script employs obfuscation techniques and seeks to elevate privileges, potentially allowing attackers to deploy remote access trojans (RATs) that connect to command-and-control servers. The campaign has been linked to other malware execution chains that also utilize ClickFix lures. Security researchers recommend enhancing defenses through employee training and disabling the Windows Run box to mitigate risks associated with these attacks.

Winsage

November 23, 2025

Microsoft Swaps BSOD to Black, Adds Auto-Hide and AI Tools for Reliability

Microsoft is launching an initiative to eliminate the Blue Screen of Death (BSOD) by introducing a new black screen error interface in Windows 11, which will replace the traditional blue backdrop. This redesign aims to modernize the error display and provide actionable insights while removing the frowning face emoji. A new feature called Digital Signage Mode will automatically conceal BSODs on public displays after 15 seconds, preventing prolonged visibility of errors. This mode suppresses all Windows error dialogs and allows systems to reboot or enter recovery without displaying errors, which is crucial for environments like retail and transportation. Microsoft is also enhancing remote recovery tools for IT administrators and promoting proactive measures for error prevention, such as regular driver updates and system scans. The company is collaborating with hardware manufacturers to improve driver compatibility and reduce BSOD incidents. Despite concerns about obscuring underlying issues, Microsoft ensures that all incidents are logged for future review. By 2026, experts anticipate advancements in AI-driven error handling that could eliminate public BSODs entirely. User adoption remains a challenge, particularly among small businesses, and Microsoft is addressing this through educational campaigns. The transition to a black screen has been positively received in consumer spaces, marking a cultural shift away from the blue screen as a symbol of computing errors.

Winsage

November 23, 2025

Windows: New “Digital Signage Mode” Ends Bluescreens

The new Digital Signage Mode introduced by Microsoft allows Windows to display system error messages, such as the Blue Screen of Death, for only 15 seconds before turning the screen black. This feature aims to prevent public visibility of technical errors on digital signage while still allowing support teams to address issues. The mode also applies to other disruptive Windows dialogs, but it is specifically designed for non-interactive public displays and does not extend to kiosks, which require direct user interaction. The mode can be enabled through the Windows Settings app or a registry key.