Malware & Threats

Microsoft Warns of ClickFix Attack Abusing DNS Lookups

Attackers are using DNS requests to deliver a RAT named ModeloRAT to targeted users.

DNS Vulnerabilities

Microsoft has warned users that threat actors are leveraging a new variant of the ClickFix technique to deliver malware.

The ClickFix attack method has been increasingly used in the past year by both cybercriminals and state-sponsored threat groups.

The attack involves attackers displaying a fake error message on a compromised or malicious site. The message instructs the target to address the issue by pressing specific keys, then performing additional steps (eg, running a command). By following the attacker’s instructions, the user unknowingly grants elevated permissions, downloads malware, or executes attacker-supplied scripts.

In a recent ClickFix attack observed by Microsoft the attacker asked targets to run a command that executes a custom DNS lookoup.

“The initial command runs through cmd.exe and performs a DNS lookup against a hard-coded external DNS server, rather than the system’s default resolver. The output is filtered to extract the ‘Name:’ DNS response, which is executed as the second-stage payload,” Microsoft explained.

This tactic enables the attacker to reach their infrastructure and validate execution of the second-stage payload, increasing their chances of evading detection by blending malicious traffic into regular network traffic. 

The second-stage payload downloads and executes a malicious Python script designed for reconnaissance. The final payload is then dropped and a persistence mechanism is deployed.

Advertisement. Scroll to continue reading.

The final payload is a remote access trojan named ModeloRAT, which enables attackers to collect information about the compromised system and execute other payloads.

While Microsoft has not shared any information on the attacks, Huntress reported recently that a threat actor tracked as KongTuke had been deploying ModeloRAT through a ClickFix variant dubbed CrashFix. The campaign was aimed at corporate environments. 

Related: Over 300 Malicious Chrome Extensions Caught Leaking or Stealing User Data

Related: RATs in the Machine: Inside a Pakistan-Linked Three-Pronged Cyber Assault on India

Related: New ‘ZeroDayRAT’ Spyware Kit Enables Total Compromise of iOS, Android Devices

Related Content

Malware & Threats

Mistic is used by Woodgnat, an initial access broker working with Qilin, Interlock, Rhysida, Akira, 8Base, and Black Basta.

Mobile & Wireless

Offered as a MaaS to a small number of affiliates, mainly Russian speakers, the RAT can turn devices into residential proxy nodes.

Malware & Threats

The malware mimics the legitimate Anthropic installation, relies on DLL sideloading, and cleans up after itself.

Malware & Threats

The malware can spy on victims, steal their information, and make configuration changes on devices.

Malware & Threats

The malware steals credentials, installs a malicious browser extension, and can spread via USB drives.

Malware & Threats

The infection chain includes a fake CAPTCHA page, a Bash script, a Nuitka loader, and the Python-based infostealer.

Malware & Threats

Threat actors replace legitimate commands on the cloned installation webpages with malicious commands.

Malware & Threats

Android users were lured to applications that served a malicious payload hosted in a Hugging Face repository.

Copyright © 2026 SecurityWeek ®, a Wired Business Media Publication. All Rights Reserved.

Exit mobile version