No products in the cart.

Home News DNS-Powered ClickFix Attack Uses nslookup to Deliver Stealthy PowerShell Malware

News

DNS-Powered ClickFix Attack Uses nslookup to Deliver Stealthy PowerShell Malware

scsecFebruary 22, 20262 Mins read7 Views

Threat actors have introduced a new variation of the ClickFix social engineering technique that abuses DNS queries to deliver malware, marking the first known instance of DNS being used as the delivery channel in these campaigns.

ClickFix attacks typically rely on tricking users into manually executing malicious commands under the pretense of fixing system errors, installing updates, or enabling features. In this latest campaign, however, attackers leverage the Windows nslookup tool to retrieve a second-stage payload directly from an attacker-controlled DNS server.

According to researchers at Microsoft, victims are instructed to run a command—often via the Windows Run dialog box—that performs a custom DNS lookup against a malicious DNS server rather than the system’s default resolver. The command queries a domain such as “example.com” from the attacker’s server and processes the DNS response using cmd.exe.

Instead of returning a standard DNS answer, the malicious server embeds a PowerShell command within the “NAME:” field of the DNS response. The system parses and executes this returned content, effectively running a second-stage PowerShell payload on the victim’s device.

Although the specific lure used to convince users to execute the command remains unclear, this technique reflects a shift in evasion tactics. By using DNS traffic—a protocol commonly allowed and less scrutinized—attackers can deliver payloads in a way that blends in with legitimate network activity. The approach also allows threat actors to dynamically modify payloads without relying on traditional HTTP-based delivery methods.

Microsoft researchers noted that the second-stage PowerShell script downloads additional malware from attacker-controlled infrastructure. The infection chain ultimately retrieves a ZIP archive containing a Python runtime environment and malicious scripts designed to perform reconnaissance on the compromised system and its domain.

To establish persistence, the malware creates files within the %APPDATA% directory and places a shortcut in the Windows Startup folder, ensuring execution upon reboot. The final payload deployed in the observed campaign is a remote access trojan known as ModeloRAT, which enables attackers to remotely control infected machines.

Unlike earlier ClickFix campaigns that relied heavily on HTTP to fetch malicious payloads, this DNS-based approach represents a significant evolution. Delivering PowerShell scripts via DNS responses enables stealthier communication and flexible staging.

ClickFix attacks have rapidly evolved over the past year. Earlier campaigns primarily convinced users to run PowerShell or shell commands directly to install malware. More recent variants have expanded their scope beyond traditional payload delivery.

One example is “ConsentFix,” a ClickFix-related campaign that abuses the Azure CLI OAuth application to hijack Microsoft accounts without requiring passwords and to bypass multi-factor authentication. Threat actors have also used shared AI chatbot pages—including ChatGPT, Grok, and Claude Artifact—to distribute fake technical guides that trick users into executing malicious commands.

In another novel case, attackers promoted ClickFix instructions via Pastebin comments targeting cryptocurrency users. Victims were persuaded to execute malicious JavaScript directly in their browsers while visiting cryptocurrency exchanges, allowing attackers to hijack transactions. This marked one of the first ClickFix campaigns focused on manipulating web application functionality rather than deploying traditional malware.

The emergence of DNS as a staging and delivery channel underscores how ClickFix continues to adapt. By exploiting trusted system utilities and legitimate network protocols, attackers are refining their ability to bypass defenses and increase the effectiveness of social engineering campaigns.

Previous post INTERPOL’s Operation Red Card 2.0 Nets 651 Arrests, Disrupts $45M African Cybercrime Networks

Next post Massiv Android Banking Trojan Disguised as IPTV App Hijacks Accounts and Steals Digital IDs

1 Comment

scsec says:

February 22, 2026 at 07:57

This DNS-based ClickFix technique shows how quickly threat actors are adapting their delivery methods to evade detection. Abusing trusted system tools like nslookup and blending malicious payloads into normal DNS traffic makes these attacks harder to spot. Organizations should strengthen monitoring of unusual DNS activity and educate users about the risks of running commands from unverified sources.

Reply