Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

ClickFix DNS-based nslookup staging campaign

Campaign
First reported
Last updated
Happening score
H score 39
2 unique sources, 2 articles

Summary

Hide ▲

The ClickFix campaign has added DNS-based staging that uses nslookup in the Windows Run dialog to fetch and run a second-stage payload, making malicious execution look like routine troubleshooting. The chain can route through cmd.exe and a hard-coded external DNS server, reducing reliance on normal web requests and blending into ordinary traffic. That matters because it helps attackers bypass security controls by persuading victims to infect their own Windows systems. The same lure pattern has also been delivered through phishing, malvertising, and drive-by pages that imitate CAPTCHA or error-fix prompts.

Related Happenings

EtherRAT malicious MSI loader with Ethereum-based C2

Malware Activity
First: 30.04.2026 14:30 Last: 30.04.2026 14:30 Sources 1

About this happening: The **EtherRAT** malware is being delivered through **malicious MSI installers** and gives attackers **persistent Windows access**, increasing the risk of covert control inside en...

Open Happening

LofyGang Minecraft LofyStealer campaign

Campaign
First: 28.04.2026 20:39 Last: 28.04.2026 20:39 Sources 1

About this happening: The **LofyGang** crew has re-emerged with a **Minecraft-player targeting** operation that uses **LofyStealer (GrabBot)**, increasing the risk of **credential and payment-data thef...

Open Happening

Hugging Face Spaces vsccode-modetx dropper campaign

Campaign
First: 16.04.2026 19:58 Last: 16.04.2026 19:58 Sources 1

About this happening: The **April 12, 2026** campaign abusing **Hugging Face Spaces** broadened malicious delivery against AI platform users and increased the risk of stealthy payload execution. An att...

Open Happening

LeakNet ClickFix compromised-website targeting campaign

Campaign
First: 17.03.2026 16:34 Last: 17.03.2026 16:34 Sources 1

About this happening: The **LeakNet** ransomware operation has shifted to **ClickFix** delivery through **compromised websites**, broadening its initial access playbook and making compromise harder to...

Open Happening

BlackSanta EDR killer malware activity targeting HR departments

Malware Activity
First: 11.03.2026 00:57 Last: 11.03.2026 00:57 Sources 1

About this happening: The **BlackSanta** malware operation has run for **more than a year**, targeting **HR departments** and using an **EDR killer** to weaken host defenses before payload execution. T...

Open Happening

Timeline

  1. 15.02.2026 16:10 3 articles · 3mo ago

    Microsoft discloses DNS-based ClickFix staging

    Initial Disclosure

    Microsoft disclosed a new ClickFix variation in which attackers use `nslookup` through the Windows Run dialog and `cmd.exe` to query a hard-coded external DNS server, filter the `Name:` DNS response, and execute it as a second-stage payload; the chain can then fetch a ZIP from `azwsappdev[.]com`, extract a malicious Python script, run reconnaissance and discovery commands, drop a VBScript for ModeloRAT, and create a Windows Startup-folder `LNK` for persistence.

    Show sources
    Open in new tab