Why DNS is the New Frontier for ClickFix Attacks

Recently, a new variant of the notorious ClickFix attack has emerged. This version uniquely abuses DNS queries to deliver malicious payloads. While previous campaigns relied on HTTP downloads, this new method uses the nslookup command. Consequently, the attack blends in with legitimate network traffic, making detection significantly harder for standard security tools.

Cybercriminals prefer DNS because most organizations allow it through their firewalls without deep inspection. Therefore, by hiding malicious scripts within DNS responses, attackers can bypass many web-based filters. This shift represents a sophisticated leap in social engineering tactics.

Breaking Down the nslookup Infection Chain

The infection process starts when the user is tricked into executing a particular command using the Windows Run dialog box. The command might look like a legitimate one that the system checks or one that fixes a browser error. However, the command actually makes the computer query an attacker-controlled DNS server using the nslookup command.

After the query is sent to the malicious server, the server sends back a specially crafted response that contains a malicious PowerShell script embedded in the “NAME:” field. Afterward, the victim’s computer automatically parses and executes this script. This seamless process allows the malware to gain a foothold without the user ever downloading a traditional file. Moreover, the attackers can change the payload on their server at any time.

• Initial Lure: Fake browser errors or system update prompts.
• Malicious Command: Running nslookup against a rogue IP address.
• Payload Delivery: PowerShell scripts embedded in DNS responses.
• Execution: Immediate execution of the script via cmd.exe.

Meet ModeloRAT: The Silent Threat Behind the Screen

The last objective of this DNS-based attack is to install ModeloRAT. This Remote Access Trojan, or RAT, grants the attacker complete control over the compromised system. The malware performs an exhaustive reconnaissance of the system as well as the entire domain. It also makes itself persistent by creating hidden shortcuts in the Windows Startup folder.

This malware is extremely dangerous since it grants the attacker an opportunity to perform exhaustive spying and data theft activities. The attacker has the ability to steal keystrokes, credentials, as well as spread other forms of ransomware. The fact that it uses Python scripts ensures it evades most signature-based anti-virus tools. As such, it remains an active threat over time, allowing the attacker to utilize it as a backdoor.

Why Traditional Security Fails Against DNS Tunneling

Traditional security often focuses on monitoring web traffic and file downloads. However, this ClickFix variant operates entirely within the DNS protocol. Because DNS is a fundamental part of internet connectivity, many security systems treat it as inherently safe. As a result, malicious queries often pass through undetected. This technique is a form of DNS tunneling, which has historically been used for covert communication.

These new techniques are being used by attackers for carrying out mass market social engineering attacks. Earlier, this was being done by high-end state actors, but now, groups like KongTuke are using this against normal users. Moreover, the rate at which ClickFix is changing shows that attackers are learning from their mistakes. They are using this for carrying out attacks against AI platforms like ChatGPT and Claude.

Conclusion: When DNS Becomes the Payload Delivery Channel

This ClickFix evolution proves a dangerous shift, attackers no longer need a browser download to compromise a system. By persuading users to run a single nslookup command, they can pull malicious PowerShell straight from DNS responses and execute it immediately, blending into traffic most networks implicitly trust. 

Why This Threat Matters

DNS is everywhere, and that is why it is being abused.

• The infection chain starts with social engineering, not an exploit
• Payloads can be swapped server side at any time, without changing the lure
• Execution happens fast, often before traditional controls register file based indicators 

Why Most Organizations Are Exposed

Many environments still treat DNS as harmless plumbing.

If a user can be convinced to run a command from a fake error page or prompt, the attacker can deliver code through channels that are rarely inspected deeply. Once the final payload lands, a RAT like ModeloRAT can enable surveillance, credential theft, and follow on ransomware activity. 

Where Xcitium Changes the Outcome

For organizations using Xcitium Advanced EDR, this attack would NOT succeed.

• The unknown execution chain is intercepted at runtime
• The PowerShell stage can run without being able to cause damage
• The RAT cannot establish control, steal data, or set persistence because it cannot interact with the real system 

Reduce ClickFix Success at the Human Layer

Pair execution time protection with Xcitium Cyber Awareness Education and Phishing Simulation so users learn to pause and verify before running command prompts that claim to fix connectivity issues. 

Stop the DNS trick before it becomes a backdoor.