The page points to a knowledge base article (which only logged-in customers can access) for using a bootable USB key. Microsoft released such a tool yesterday that automatically deletes the problematic channel file that caused machines to blue screen.
CrowdStrike also published a blog yesterday warning that threat actors have been taking advantage of the situation to distribute malware, using “a malicious ZIP archive named crowdstrike-hotfix.zip.”
The ZIP archive contains a HijackLoader payload that, when executed, loads RemCos. Notably, Spanish filenames and instructions within the ZIP archive indicate this campaign is likely targeting Latin America-based (LATAM) CrowdStrike customers.
Following the content update issue, several typosquatting domains impersonating CrowdStrike have been identified. This campaign marks the first observed instance in which a threat actor has capitalized on the Falcon content issue to distribute malicious files targeting LATAM-based CrowdStrike customers.