ClickFix DNS-based nslookup staging campaign
Campaign
Summary
Hide ▲
Show ▼
The ClickFix campaign has added DNS-based staging that uses nslookup in the Windows Run dialog to fetch and run a second-stage payload, making malicious execution look like routine troubleshooting. The chain can route through cmd.exe and a hard-coded external DNS server, reducing reliance on normal web requests and blending into ordinary traffic. That matters because it helps attackers bypass security controls by persuading victims to infect their own Windows systems. The same lure pattern has also been delivered through phishing, malvertising, and drive-by pages that imitate CAPTCHA or error-fix prompts.
Related Happenings
DriveSurge large-scale website-hijack malware distribution campaign
Campaign
H score41
First: 02.06.2026 01:14
Last: 02.06.2026 01:14
Sources 1
About this happening:
The **DriveSurge** campaign is redirecting visitors from **thousands of compromised websites** to **malware-delivery infrastructure**, creating a broad infection path through **Cl...
DriveSurge large-scale website-hijack malware distribution campaign
CampaignAbout this happening: The **DriveSurge** campaign is redirecting visitors from **thousands of compromised websites** to **malware-delivery infrastructure**, creating a broad infection path through **Cl...
EtherRAT malicious MSI loader with Ethereum-based C2
Malware Activity
H score23
First: 30.04.2026 14:30
Last: 30.04.2026 14:30
Sources 1
About this happening:
The **EtherRAT** malware is being delivered through **malicious MSI installers** and gives attackers **persistent Windows access**, increasing the risk of covert control inside en...
EtherRAT malicious MSI loader with Ethereum-based C2
Malware ActivityAbout this happening: The **EtherRAT** malware is being delivered through **malicious MSI installers** and gives attackers **persistent Windows access**, increasing the risk of covert control inside en...
LofyGang Minecraft LofyStealer campaign
Campaign
H score38
First: 28.04.2026 20:39
Last: 28.04.2026 20:39
Sources 1
About this happening:
The **LofyGang** crew has re-emerged with a **Minecraft-player targeting** operation that uses **LofyStealer (GrabBot)**, increasing the risk of **credential and payment-data thef...
LofyGang Minecraft LofyStealer campaign
CampaignAbout this happening: The **LofyGang** crew has re-emerged with a **Minecraft-player targeting** operation that uses **LofyStealer (GrabBot)**, increasing the risk of **credential and payment-data thef...
Hugging Face Spaces vsccode-modetx dropper campaign
Campaign
H score44
First: 16.04.2026 19:58
Last: 16.04.2026 19:58
Sources 1
About this happening:
The **April 12, 2026** campaign abusing **Hugging Face Spaces** broadened malicious delivery against AI platform users and increased the risk of stealthy payload execution. An att...
Hugging Face Spaces vsccode-modetx dropper campaign
CampaignAbout this happening: The **April 12, 2026** campaign abusing **Hugging Face Spaces** broadened malicious delivery against AI platform users and increased the risk of stealthy payload execution. An att...
LeakNet ClickFix compromised-website targeting campaign
Campaign
H score33
First: 17.03.2026 16:34
Last: 17.03.2026 16:34
Sources 1
About this happening:
The **LeakNet** ransomware operation has shifted to **ClickFix** delivery through **compromised websites**, broadening its initial access playbook and making compromise harder to...
LeakNet ClickFix compromised-website targeting campaign
CampaignAbout this happening: The **LeakNet** ransomware operation has shifted to **ClickFix** delivery through **compromised websites**, broadening its initial access playbook and making compromise harder to...
Timeline
-
15.02.2026 16:10 3 articles · 4mo ago
Microsoft discloses DNS-based ClickFix staging
Initial DisclosureMicrosoft disclosed a new ClickFix variation in which attackers use `nslookup` through the Windows Run dialog and `cmd.exe` to query a hard-coded external DNS server, filter the `Name:` DNS response, and execute it as a second-stage payload; the chain can then fetch a ZIP from `azwsappdev[.]com`, extract a malicious Python script, run reconnaissance and discovery commands, drop a VBScript for ModeloRAT, and create a Windows Startup-folder `LNK` for persistence.
Show sources
- Microsoft Discloses DNS-Based ClickFix Attack Using Nslookup for Malware Staging — thehackernews.com — 15.02.2026 16:10
- Microsoft Discloses DNS-Based ClickFix Attack Using Nslookup for Malware Staging — thehackernews.com — 15.02.2026 16:10
- ClickFix Attacks Abuses DNS Lookup Command to Deliver ModeloRAT — www.darkreading.com — 17.02.2026 19:03