In February 2026, Microsoft disclosed a new variant of the ClickFix social engineering attack that abuses the Windows nslookup command to deliver malware entirely through DNS — no web requests needed.
How It Works
The attack chain is deceptively simple:
- Social engineering — A fake CAPTCHA or browser error page tricks the user into opening a Run dialog and pasting a command.
- DNS lookup — The pasted command runs
nslookupagainst an attacker-controlled DNS server. The response contains a PowerShell payload hidden in the DNS NAME field. - Payload execution — The PowerShell script downloads a ZIP archive containing a Python-based reconnaissance tool and drops a VBScript launcher.
- Persistence — The VBScript creates a shortcut in the Windows Startup folder, launching “ModeloRAT,” a Python-based remote access trojan, on every boot.
Why DNS Makes This Dangerous
By using DNS as a “lightweight staging and signaling channel,” the technique avoids HTTP/HTTPS requests entirely. Since DNS traffic is rarely inspected by endpoint security tools, firewalls, or antivirus software, the malicious activity blends in with normal network noise.
The victim essentially infects their own machine by running what appears to be a simple diagnostic command.
What You Can Do
- Monitor DNS traffic — Deploy DNS-layer security that inspects query patterns and response content.
- Restrict nslookup/PowerShell — Use application control policies to limit who can execute these tools.
- User awareness — Train users to never paste commands from websites into their terminal or Run dialog.
- Use a trusted DNS resolver — Ensure endpoints use managed DNS resolvers that log and filter suspicious responses.
Attacks like ClickFix are a reminder that DNS security starts with choosing the right DNS provider. HostDNS provides secure, managed DNS hosting with built-in monitoring and protection.
Sources: The Hacker News, BleepingComputer