Full Report
Microsoft has disclosed details of a new version of the ClickFix social engineering tactic in which the attackers trick unsuspecting users into running commands that carry out a Domain Name System (DNS) lookup to retrieve the next-stage payload. Specifically, the attack relies on using the "nslookup" (short for nameserver lookup) command to execute a custom DNS lookup triggered via the Windows
Analysis Summary
# Tool/Technique: DNS-based ClickFix (nslookup variation)
## Overview
ClickFix is a social engineering tactic where users are tricked into manually executing commands provided by a fake website (often masquerading as a "CAPTCHA" or a browser error fix). This specific variation uses the Windows `nslookup` utility to query a malicious DNS server. Instead of a standard IP resolution, the DNS server returns a text-based payload in the "Name:" field, which the initial command then executes as a second-stage script.
## Technical Details
- **Type:** Technique (Social Engineering / Malware Staging)
- **Platform:** Windows (via `cmd.exe` and Run dialog); variants exist for macOS.
- **Capabilities:** Bypasses web-based security filters, uses DNS as a signaling channel, automated execution of remote payloads via native tools.
- **First Seen:** Reported February 2026 (building on broader ClickFix trends since 2024).
## MITRE ATT&CK Mapping
- **TA0001 - Initial Access**
- T1566.002 - Phishing: Spearphishing Link (Redirects to fake landing pages)
- **TA0002 - Execution**
- T1204.002 - User Execution: Malicious Command (User pastes command into Run dialog)
- T1059.003 - Command and Scripting Interpreter: Windows Command Shell
- **TA0005 - Defense Evasion**
- T1027 - Obfuscated Files or Information (DNS-based staging)
- **TA0007 - Discovery**
- T1016 - System Network Configuration Discovery
- **TA0003 - Persistence**
- T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
## Functionality
### Core Capabilities
- **DNS Staging:** Uses `nslookup` against a hard-coded external DNS server to retrieve malicious instructions or payloads, bypassing the system's default DNS resolver.
- **Execution Chain:** Filters the DNS response to extract execution strings which are then piped into `cmd.exe` or a shell.
- **Self-Infection:** Relies on "human-as-a-service" where the victim manually copies and pastes the malicious string, bypassing automated sandbox detections that monitor browser-only activities.
### Advanced Features
- **Validation Layer:** The attacker-controlled DNS server can perform validation (e.g., checking the source IP) before serving the malicious "Name:" record, making automated analysis difficult.
- **Lightweight Signaling:** Uses DNS TXT or Name records to blend into normal network traffic, reducing the footprint compared to typical HTTP/S downloads.
## Indicators of Compromise
- **File Names:**
- Malicious Python scripts (extracted from ZIP)
- Windows Shortcut (LNK) files in the Startup folder.
- **Network Indicators:**
- `azwsappdev[.]com` (Payload hosting)
- Hard-coded external IP addresses for custom DNS lookups (Defanged: `8.8.8[.]8` is often used as a decoy, but look for non-standard IPs in `nslookup` commands).
- **Behavioral Indicators:**
- `cmd.exe` or `powershell.exe` being launched with `nslookup` arguments within the command string.
- Creation of `.lnk` files in `%AppData%\Microsoft\Windows\Start Menu\Programs\Startup`.
- Python execution following high-volume DNS traffic to a single domain.
## Associated Threat Actors
- **GrayBravo** (formerly TAG-150) - Linked to CastleLoader.
- Various "ClickFix" clusters spreading **ModeloRAT**, **Lumma Stealer**, and **CastleLoader**.
## Detection Methods
- **Behavioral Detection:** Monitor for instances of `cmd.exe` or `powershell.exe` where the command line contains both `nslookup` and execution flags (like `iex`, `eval`, or pipes to shell).
- **Network Monitoring:** Look for DNS queries originating from `nslookup.exe` directed at destination IPs other than the internal corporate or configured ISP DNS servers.
- **Process Monitoring:** Detect Python processes spawned by the Windows "Run" dialog or command shell with specific reconnaissance-related arguments.
## Mitigation Strategies
- **User Education:** Train users never to copy and paste commands from "verification" pages or "fix" pop-ups.
- **GPO/ASR Rules:** Implement Attack Surface Reduction (ASR) rules to block process creations from Office applications or unauthorized command-line interpreters.
- **Network Filtering:** Restrict DNS traffic to authorized internal resolvers only; block outbound UDP/53 to the public internet for standard workstations.
## Related Tools/Techniques
- **FileFix / JackFix / ConsentFix / CrashFix / GlitchFix:** Other branding variants of the "ClickFix" social engineering framework.
- **CastleLoader / Lumma Stealer:** Common payloads delivered via these methods.
- **ModeloRAT:** The specific Python-based remote access trojan associated with this DNS-based variant.