26-02-16, 12:15 p.m.

New DNS-based ClickFix attack tricks users into executing malicious commands, allowing malware to stage through nslookup and evade detection. This sophisticated technique blends into normal network traffic, highlighting the evolving threat of social engineering.

Cybercriminals are refining social engineering tactics once again. Microsoft has disclosed a new variation of the increasingly widespread ClickFix attack, where victims are tricked into manually executing malicious commands on their own systems. This latest evolution leverages DNS lookups through the Windows nslookup utility to retrieve and execute second-stage malware payloads, allowing attackers to bypass traditional web-based detection mechanisms.

ClickFix attacks typically begin with phishing emails, malvertising campaigns, or compromised websites that redirect users to fake CAPTCHA pages or fabricated troubleshooting instructions. Victims are instructed to open the Windows Run dialog and execute a command to supposedly fix an issue. In reality, they are initiating their own infection.

In this DNS-based variation, the command runs through cmd.exe and performs a DNS query against a hard-coded external server rather than the system’s default resolver. The DNS response is then parsed and executed as a second-stage payload. By using DNS as a lightweight staging channel, attackers reduce reliance on suspicious web downloads and blend malicious traffic into routine network activity.

Once executed, the attack chain downloads additional payloads, including ZIP archives containing malicious scripts that conduct system reconnaissance, execute discovery commands, and ultimately deploy remote access trojans such as ModeloRAT. Persistence is established through Windows Startup folder shortcuts, ensuring the malware relaunches each time the system boots.

This campaign is part of a broader surge in ClickFix-related activity. Security researchers have also observed ClickFix-style techniques delivering Lumma Stealer through loaders such as CastleLoader and RenEngine Loader. These loaders often disguise themselves as cracked software, game cheats, or pirated media files. In many cases, attackers use legitimate platforms, cloud services, or even trusted domains to host malicious instructions, making detection significantly more difficult.

What makes ClickFix particularly dangerous is that it exploits procedural trust rather than software vulnerabilities. The instructions appear similar to legitimate troubleshooting steps users may have encountered before. As a result, victims often do not realize they are manually executing arbitrary code on their own machines.

For organizations, the implications are serious. Because DNS traffic is commonly allowed through firewalls and rarely scrutinized as closely as HTTP or HTTPS traffic, this tactic can bypass traditional perimeter defenses. Additionally, the use of legitimate tools and infrastructure means security teams must differentiate between authorized administrative activity and malicious remote access.

This evolving threat landscape highlights the need for layered, proactive cybersecurity strategies. Endpoint monitoring must include behavioral detection capable of identifying unusual command execution and DNS activity. Organizations should restrict the use of administrative tools, monitor for unexpected script execution, and train employees to recognize suspicious troubleshooting instructions.

At Upside Business Technologies, we help businesses defend against advanced social engineering campaigns and living-off-the-land techniques like ClickFix. Our approach combines continuous monitoring, endpoint detection and response, DNS traffic analysis, and employee security awareness training to stop threats before they escalate into full-scale breaches.

Cybercriminals are no longer relying solely on traditional malware downloads. They are convincing users to infect themselves while hiding malicious communications inside normal network traffic. The question is not whether these tactics will continue to evolve, but whether your organization is prepared to detect and prevent them.