Microsoft has disclosed a sophisticated new variant of the ClickFix social engineering attack that weaponizes the Windows nslookup command to stage malware through DNS queries, enabling attackers to bypass traditional web-based detection mechanisms.
Attack Methodology
This DNS-based ClickFix variant tricks users into executing a specially crafted command through the Windows Run dialog that performs a DNS lookup against a hard-coded external DNS server rather than the system’s default resolver. The attack chain works as follows:
- Initial infection via phishing, malvertising, or drive-by download redirects victims to fake CAPTCHA or troubleshooting pages
- Users are instructed to run a command using the Windows Run dialog (Win+R)
- The command executes
nslookupto query an attacker-controlled DNS server - The DNS response’s
Name:field is extracted and executed as the second-stage payload - A ZIP archive downloads from
azwsappdev[.]comcontaining a malicious Python script - The script conducts reconnaissance and drops a VBScript that launches ModeloRAT, a Python-based remote access trojan
- Persistence is established via a Windows shortcut (LNK) file in the Startup folder
Why DNS Staging Matters
Microsoft’s Threat Intelligence team notes that using DNS as a staging channel offers significant advantages to attackers:
- Reduced dependency on web requests: Traditional ClickFix variants rely on HTTP/HTTPS calls that security tools readily flag
- Traffic blending: DNS queries appear as normal network activity, making detection more difficult
- Validation layer: Attackers can verify victims before delivering payloads, avoiding sandbox analysis
ClickFix Variant Explosion
ClickFix has become one of the most effective social engineering tactics because it bypasses security controls by tricking users into infecting their own machines. The technique has spawned numerous variants including FileFix, JackFix, ConsentFix, CrashFix, and GlitchFix—each adapting the core concept to different delivery mechanisms.
Related Campaigns: Lumma Stealer and CastleLoader
Bitdefender has simultaneously reported a surge in Lumma Stealer activity driven by ClickFix-style fake CAPTCHA campaigns deploying CastleLoader, associated with threat actor GrayBravo (formerly TAG-150). Despite law enforcement disruption efforts in 2025, Lumma Stealer operations have demonstrated resilience by rapidly migrating infrastructure and adopting alternative loaders.
One infrastructure overlap is particularly concerning: a domain on CastleLoader’s network (testdomain123123[.]shop) was flagged as a Lumma Stealer C2, suggesting the operators may be collaborating or sharing service providers.
macOS Not Immune
While this DNS-based variant targets Windows, related ClickFix campaigns are actively targeting macOS users through:
- Claude AI artifacts: Attackers abuse Anthropic’s public artifact sharing feature to host malicious Terminal instructions
- Google Ads malvertising: Sponsored search results for legitimate tools redirect to ClickFix pages
- Fake Medium articles: Impersonating Apple Support to deliver MacSync and Atomic Stealer
Flare’s research emphasizes that “nearly every macOS stealer prioritizes cryptocurrency theft above all else” due to the irreversible nature of crypto transactions.
Detection and Defense
Organizations should implement:
- Monitoring for unusual
nslookupexecutions via the Run dialog or command line - DNS query logging with analysis for suspicious external resolver usage
- User awareness training specifically addressing ClickFix tactics
- Application whitelisting to prevent unauthorized script execution
- Enhanced macOS monitoring for unsigned applications requesting passwords and unusual Terminal activity
Indicators of Compromise
Domains:
azwsappdev[.]com– Payload distributiontestdomain123123[.]shop– Lumma Stealer/CastleLoader C2raxelpak[.]com– macOS stealer C2
Malware Families:
- ModeloRAT (Python RAT)
- CastleLoader (AutoIt loader)
- Lumma Stealer
- MacSync Stealer / Atomic Stealer (macOS)
As Bitdefender summarizes: “The effectiveness of ClickFix lies in its abuse of procedural trust rather than technical vulnerabilities.” Users comply because the instructions resemble legitimate troubleshooting steps they’ve encountered before.
