Threat actors are expanding the scope of ClickFix social engineering campaigns by leveraging DNS infrastructure to deliver malware, marking the first documented case of DNS being used as a payload delivery channel in this attack framework. The technique represents a significant evolution in evasion tactics, as it blends malicious activity into normal DNS traffic to bypass traditional network defenses.
ClickFix attacks evolve with DNS-based payload delivery
ClickFix campaigns typically rely on user interaction, instructing victims to manually execute malicious commands under the pretense of fixing errors, installing updates, or enabling required functionality. Historically, these attacks retrieved second-stage payloads via HTTP from attacker-controlled servers.
In a newly observed campaign, however, attackers replaced the traditional web-based delivery mechanism with a DNS-based staging method. According to researchers at Microsoft Threat Intelligence, victims are instructed to execute a command that performs a custom DNS lookup against an attacker-controlled name server rather than the system’s default DNS resolver.
Abuse of nslookup to execute malicious PowerShell
The attack instructs users to run a crafted nslookup command via the Windows Run dialog box. Instead of resolving a domain through legitimate infrastructure, the command queries a malicious DNS server. The response includes a specially crafted NAME: field containing an encoded PowerShell payload.
Once the DNS query completes, the returned data is parsed and executed via cmd.exe, triggering the second-stage PowerShell script directly on the victim’s device. This script then downloads additional malware components from attacker-controlled infrastructure.
By embedding malicious code within DNS responses, attackers can dynamically modify payloads without relying on conventional HTTP-based downloads. This approach increases operational flexibility while reducing the likelihood of detection by perimeter-based web filtering tools.
Multi-stage infection chain and persistence mechanisms
Following execution, the PowerShell payload retrieves a ZIP archive containing a bundled Python runtime and malicious scripts. These scripts conduct reconnaissance on the compromised system and associated domain environment, collecting system information and preparing for long-term access.
Persistence is established through multiple mechanisms. The malware creates a VBScript file within the %APPDATA% directory and places a shortcut in the Windows Startup folder to ensure execution at every system reboot. This layered persistence technique allows the malware to survive restarts and maintain remote control.
The final payload deployed in this campaign is a remote access trojan (RAT) known as ModeloRAT, which provides attackers with full command-and-control capabilities over compromised endpoints.
Why DNS-based malware delivery is dangerous
Using DNS as a communication and staging channel introduces significant defensive challenges. DNS traffic is fundamental to network operations and often receives less scrutiny than HTTP or HTTPS traffic. By embedding malicious instructions within legitimate-looking DNS responses, attackers can blend into normal network noise.
This technique also enables rapid payload modification. Since the PowerShell code is delivered via DNS responses, operators can update the malicious script at the DNS server level without altering the client-side command issued by victims. This flexibility enhances evasion and adaptability during active campaigns.
Rapid innovation in ClickFix attack techniques
ClickFix campaigns have evolved significantly over the past year, demonstrating increasing technical sophistication. Earlier variants focused primarily on direct PowerShell execution through socially engineered prompts. More recent iterations have expanded into cloud identity abuse and OAuth manipulation.
For example, a related campaign dubbed “ConsentFix” exploited the Azure CLI OAuth application to hijack Microsoft accounts without passwords and bypass multi-factor authentication controls. Additionally, attackers have begun leveraging AI-generated content platforms — such as shared pages on ChatGPT, Grok, and Claude — to distribute deceptive technical guides that encourage users to execute malicious commands.
The emergence of DNS-based payload delivery underscores a broader trend: attackers are continuously experimenting with unconventional channels to bypass security monitoring and endpoint detection systems. Organizations must enhance DNS logging, deploy advanced endpoint detection and response (EDR) solutions, and educate users against executing unsolicited system commands, particularly those presented as “fixes” for vague or urgent issues.
