Home News DNS-Powered ClickFix Attack Delivers PowerShell Malware and ModeloRAT to Windows Systems
News

DNS-Powered ClickFix Attack Delivers PowerShell Malware and ModeloRAT to Windows Systems

131
Illustration of a Windows computer executing a malicious nslookup command in the Run dialog, delivering a PowerShell payload via DNS to install ModeloRAT malware.
ClickFix attackers are now using DNS queries to deliver PowerShell malware and install ModeloRAT on Windows systems.

New ClickFix Attack Uses DNS to Deliver PowerShell Payloads

Researchers at Microsoft have uncovered a novel ClickFix campaign in which threat actors are leveraging DNS queries to deliver malware, marking the first known use of DNS as a delivery channel in these social engineering attacks.

ClickFix attacks trick users into manually executing commands under the pretense of fixing errors, installing updates, or enabling functionality. This new variant represents a significant evolution in the technique.


How the DNS-Based ClickFix Attack Works

In this campaign, victims are instructed to run an nslookup command that queries an attacker-controlled DNS server instead of the system’s default DNS.

  • The DNS server responds with a malicious PowerShell script embedded in the “NAME:” field of the DNS response.
  • The victim’s system executes the script via the Windows command interpreter (cmd.exe), initiating the malware infection.

This method allows attackers to deliver second-stage payloads dynamically while blending in with normal DNS traffic, making detection more difficult.

Although the specific lure used to trick users is unclear, Microsoft notes that the command may be executed via the Windows Run dialog box. The DNS-based response then triggers the download of additional malware components.


Malware Components and Persistence

The payload ultimately delivers a ZIP archive containing a Python runtime executable and malicious scripts that perform reconnaissance on the infected system and network.

To maintain persistence, the malware creates:

  • %APPDATA%\WPy64-31401\python\script.vbs
  • %STARTUP%\MonitoringService.lnk shortcut to launch the VBScript at startup

The final stage installs ModeloRAT, a remote access trojan (RAT) that gives attackers full control over compromised systems.

Unlike previous ClickFix campaigns, which primarily retrieved payloads via HTTP, this variant demonstrates how attackers can use DNS for command-and-control and staging of malware.


Evolution of ClickFix Attacks

ClickFix campaigns have rapidly evolved over the past year, experimenting with new delivery techniques, operating system targets, and payload types. Key trends include:

  • Executing PowerShell or shell commands directly on target systems
  • Using DNS queries to dynamically deliver payloads
  • Leveraging AI LLM platforms such as ChatGPT, Grok, and Claude Artifact pages to promote fake guides
  • Hijacking Microsoft accounts via OAuth apps (e.g., ConsentFix) to bypass multi-factor authentication
  • Deploying JavaScript in browsers to hijack web applications or cryptocurrency transactions

These developments demonstrate attackers’ creativity in expanding social engineering tactics beyond traditional malware delivery channels.


Why This Attack Is Concerning

This DNS-based ClickFix attack shows how threat actors:

  • Can evade traditional security measures by blending traffic with legitimate DNS queries
  • Dynamically update payloads without requiring direct web downloads
  • Combine social engineering with technical tricks to compromise users across platforms
  • Target both local system security and web-based applications

As ClickFix attacks evolve, users are advised to exercise extreme caution before running commands on their devices, particularly when instructed by unverified guides or sponsored search results.

1 Comment

  • “This DNS-based ClickFix attack is a serious warning for Windows users. Never run commands from unverified guides or sources, as attackers can deliver malware like ModeloRAT through seemingly harmless DNS queries.”

Leave a Reply

Your email address will not be published. Required fields are marked *

Related Articles

NewsSecurity

Telegram’s t.me Domain Goes Offline Worldwide After Registry Imposes ServerHold

Telegram’s t.me Links Go Offline After Domain Registry Places Hold on Address...

NewsSecurity

Critical U-Boot Flaws Could Let Hackers Install Stealthy Firmware Malware

New U-Boot Bootloader Flaws Could Enable Stealthy Firmware-Level Attacks Security researchers have...

NewsSecurity

Exposed Hacker Server Reveals Massive Campaign Compromising 25,000 WordPress Websites

Exposed Server Reveals 25,000 Hacked WordPress Websites in Large Cybercrime Campaign A...

NewsSecurity

Hidden Tenda Router Backdoor Gives Hackers Full Administrator Access

Hidden Backdoor in Tenda Router Firmware Allows Attackers to Gain Admin Access...