ClickFix Evolves: DNS-Based Malware Staging Through Nslookup
- Javier Conejo del Cerro
- 16 feb
- 3 Min. de lectura
ClickFix is no longer just a social engineering trick that pushes victims to execute suspicious PowerShell commands. It has evolved into a stealthier, infrastructure-aware staging technique that leverages the Domain Name System (DNS) as a covert delivery channel.
Microsoft has disclosed a new DNS-based ClickFix variant in which victims are instructed to execute a seemingly harmless nslookup command via the Windows Run dialog. Instead of retrieving payloads over HTTP or HTTPS, the attack pulls second-stage instructions directly from attacker-controlled DNS servers. By abusing DNS as a lightweight signaling and staging mechanism, the attackers reduce reliance on traditional web requests and blend malicious traffic into routine network noise.
This shift highlights a broader trend: social engineering combined with protocol abuse to bypass detection rather than exploiting software vulnerabilities directly.
Phase 1: Social Engineering & User-Initiated Execution
The attack begins with classic ClickFix delivery vectors:
Phishing emails
Malvertising campaigns
Fake CAPTCHA verification pages
Cracked software portals
Sponsored search ads
Compromised legitimate websites
Victims are presented with instructions that resemble troubleshooting steps or security verifications. They are told to open the Windows Run dialog (or Terminal on macOS in other variants) and paste a command.
The key psychological element is procedural trust. The instructions mimic legitimate technical guidance, causing users to execute malicious code themselves, effectively bypassing many security controls.
Phase 2: DNS-Based Staging via Nslookup
Instead of downloading a file from a suspicious website, the malicious command runs through cmd.exe and performs a DNS lookup against a hard-coded attacker-controlled DNS server.
The DNS response contains encoded payload data.
The command extracts specific DNS record values (notably the Name: response) and executes them as the next-stage payload.
Why DNS?
It blends into normal enterprise traffic
It reduces dependency on HTTP-based staging
It adds an extra validation layer
It may evade web filtering solutions
DNS becomes a covert signaling channel.
Phase 3: Payload Deployment & Persistence
The DNS-triggered second stage launches a broader infection chain.
In documented cases, this leads to:
Downloading a ZIP archive from an external domain
Extracting a malicious Python script
Executing reconnaissance and discovery commands
Dropping a VBScript responsible for launching ModeloRAT
Persistence is established by:
Creating a Windows shortcut (LNK) in the Startup folder
Ensuring malware launches automatically at system boot
ModeloRAT provides remote access and command execution capabilities.
Parallel Campaigns Leveraging ClickFix
ClickFix is not limited to ModeloRAT. The technique is being widely reused across malware ecosystems:
Windows-focused campaigns
Lumma Stealer (via CastleLoader, RenEngine Loader, Hijack Loader)
StealC
Stealerium
macOS campaigns
Odyssey Stealer (rebranded Poseidon, fork of AMOS)
Atomic Stealer
MacSync Stealer
These stealers target:
Credentials
Browser wallet extensions (over 200 targeted in some cases)
Desktop crypto wallet applications
Apple Keychain data
Browser storage
Some macOS variants include:
LaunchDaemon persistence
SOCKS5 tunneling
Arbitrary shell execution
EDR evasion
Abuse of Apple-signed binaries for permission inheritance
Additional stealth techniques include:
EtherHiding via blockchain smart contracts
Use of aged domains to avoid reputation flags
Shared C2 infrastructure across malware families
Global Impact & Infection Distribution
Lumma Stealer infections have been most heavily observed in:
India
France
United States
Spain
Germany
Brazil
Mexico
Romania
Italy
Canada
This demonstrates that ClickFix is not a niche tactic — it is a global malware delivery framework.
Why ClickFix Works
ClickFix does not exploit software vulnerabilities.
It exploits human behavior.
Victims believe they are:
Verifying identity
Fixing a system issue
Completing a CAPTCHA
Installing a legitimate tool
Instead, they are manually executing attacker-supplied commands.
The assumption that “Macs don’t get viruses” has also amplified risk, especially among cryptocurrency users who disproportionately rely on macOS and software wallets.
Once seed phrases are stolen, transactions are irreversible.
Defensive Measures
Organizations must address both the technical and behavioral dimensions of this threat:
Block or monitor suspicious use of nslookup via Run/Terminal
Disable or restrict execution of macros, LNK files, and HTA scripts
Harden email and web filtering against ClickFix-style lures
Monitor DNS queries for anomalous external resolvers
Detect suspicious outbound C2 communication
Monitor Keychain and browser wallet access patterns (macOS)
Deploy EDR capable of identifying memory-resident payloads
Enforce least privilege principles
Train users to recognize “Run this command” social engineering
Detection must expand beyond web traffic inspection to include DNS telemetry analysis.
ClickFix represents the evolution of malware delivery from exploit-driven compromise to user-driven compromise.
By shifting staging to DNS and leveraging procedural trust, attackers have created a resilient and flexible distribution model capable of delivering RATs and stealers across Windows and macOS ecosystems.
The broader lesson is clear:
Security controls built around blocking malicious downloads are no longer sufficient.
When users are convinced to execute the command themselves, the attack surface becomes human behavior.
DNS-based staging is not technically revolutionary — but operationally, it is effective.
And in modern threat landscapes, effectiveness is what matters most.
The Hacker News
Comentarios