New ClickFix attack abuses nslookup to retrieve PowerShell payload via DNS

Source: Bleeping Computer

DNS queries deliver a malicious PowerShell script

In a new ClickFix campaign observed by Microsoft, victims are instructed to run the nslookup command that queries an attacker‑controlled DNS server instead of the system’s default DNS server. The command returns a response containing a malicious PowerShell script that is then executed on the device to install malware.

“Microsoft Defender researchers observed attackers using yet another evasion approach to the ClickFix technique: asking targets to run a command that executes a custom DNS lookup and parses the Name: response to receive the next‑stage payload for execution,” — Microsoft Threat Intelligence (X post).

Illustration of the ClickFix DNS‑based delivery method.

The lure typically instructs users to run the command in the Windows Run dialog box. The command issues a DNS lookup for the hostname example.com against the threat actor’s DNS server at 84.21.189.20 and then executes the resulting response via cmd.exe.

The DNS response returns a NAME: field that contains the second PowerShell payload, which is executed on the device.

DNS query response containing the second PowerShell command to execute – Source: Microsoft

Although the malicious DNS server is no longer available, Microsoft reports that the second‑stage PowerShell command downloaded additional malware from attacker‑controlled infrastructure. The attack ultimately:

• Downloads a ZIP archive containing a Python runtime executable and malicious scripts for reconnaissance.
• Establishes persistence by creating %APPDATA%\WPy64-31401\python\script.vbs and a %STARTUP%\MonitoringService.lnk shortcut that launches the VBScript on startup.
• Deploys a remote‑access trojan known as ModeloRAT, giving attackers remote control of the compromised system.

Unlike typical ClickFix attacks that retrieve payloads via HTTP, this technique uses DNS as a communication and staging channel, allowing attackers to modify payloads on the fly while blending in with normal DNS traffic.

ClickFix attacks rapidly evolving

ClickFix attacks have evolved quickly over the past year, with threat actors experimenting with new delivery tactics and payload types across multiple operating systems.

Earlier ClickFix campaigns relied on convincing users to execute PowerShell or shell commands directly on their systems. More recent campaigns have expanded beyond traditional web‑based payload delivery:

• ConsentFix – abuses the Azure CLI OAuth app to hijack Microsoft accounts without a password and bypass MFA.
• Threat actors are leveraging shared ChatGPT, Grok, and Claude Artifact pages to promote fake guides for ClickFix attacks.
• A novel ClickFix attack promoted through Pastebin comments tricks cryptocurrency users into executing malicious JavaScript in their browsers, hijacking web‑application functionality rather than deploying malware.

These developments illustrate the growing diversity of vectors used in ClickFix attacks, including the first known attempts to execute JavaScript in the browser to hijack transactions.

The future of IT infrastructure is here

Modern IT infrastructure moves faster than manual workflows can handle. In this new Tines guide, learn how your team can reduce hidden manual delays, improve reliability through automated response, and build and scale intelligent workflows on top of tools you already use.