Microsoft disclosed a new ClickFix variant that tricks users into running nslookup via the Windows Run dialog and cmd.exe to perform DNS-based staging and fetch a second-stage payload. The chain downloads a ZIP from azwsappdev[.]com that leads to a Python script, VBScript and ModeloRAT persistence, while related campaigns use CastleLoader, Lumma Stealer, RenEngine, and macOS stealers delivered via fake CAPTCHAs, ads, and AI-hosted instructions. #ClickFix #nslookup #ModeloRAT #LummaStealer #CastleLoader #GrayBravo
Keypoints
- Attackers abuse ClickFix social engineering to get victims to run nslookup commands that stage payloads via DNS.
- The DNS-based staging channel reduces reliance on web requests and helps blend malicious activity into normal traffic.
- The observed chain downloads a ZIP from azwsappdev[.]com, runs a Python script, drops a VBScript, and installs ModeloRAT with Startup LNK persistence.
- CastleLoader and RenEngine loaders distribute Lumma Stealer and include checks for virtualization and security tools; CastleLoader is linked to threat actor GrayBravo.
- Campaigns target both Windows and macOS using fake CAPTCHAs, malvertising, compromised sites, sponsored AI links, and forged AppleScript/VBA techniques to deploy multiple stealers.
Read More: https://thehackernews.com/2026/02/microsoft-discloses-dns-based-clickfix.html