Threat actors are now abusing DNS queries in ClickFix social engineering attacks to deliver malware, marking the first known use of DNS as a channel in these campaigns. Victims are tricked into running an nslookup against an attacker-controlled DNS server that returns a NAME field containing a PowerShell script which downloads additional payloads and ultimately installs the ModeloRAT remote access trojan. #ClickFix #ModeloRAT
Keypoints
- Attackers use DNS responses as a novel staging channel to deliver second-stage PowerShell payloads.
- Victims are instructed to run nslookup against an attacker-controlled DNS server, which returns a malicious NAME field.
- The PowerShell payload downloads a Python runtime, malicious scripts for reconnaissance, and establishes persistence via startup shortcuts and VBScript.
- The final payload observed in this campaign is the ModeloRAT remote access trojan, enabling remote control of infected systems.
- ClickFix campaigns are rapidly evolving, with recent variants abusing Azure CLI (ConsentFix), AI LLM pages, Pastebin, and in-browser JavaScript to broaden impact.