Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

ModeloRAT DNS-delivered malware staging

Malware Activity
First reported
Last updated
Happening score
H score 16
1 unique sources, 1 articles

Summary

Hide ▲

ModeloRAT is now being delivered through a DNS-based staging chain, increasing the chance that malicious traffic blends into ordinary name-resolution activity. In the observed ClickFix operation, victims are told to run nslookup, which returns a malicious PowerShell payload from an attacker-controlled DNS server. That staged execution then installs additional malware and persistence components before deploying ModeloRAT for remote control of compromised systems.

Related Happenings

ModeloRAT malicious PowerShell and Dropbox delivery activity

Malware Activity
First: 14.05.2026 15:12 Last: 14.05.2026 15:12 Sources 1

About this happening: The **ModeloRAT** activity now uses a **malicious PowerShell command** and a **Dropbox ZIP payload** to gain persistent footholds, enabling **system reconnaissance**, **screenshot...

Open Happening

Slopoly backdoor used in Interlock ransomware intrusion

Malware Activity
First: 12.03.2026 22:01 Last: 12.03.2026 22:01 Sources 1

About this happening: The **Slopoly** backdoor was identified in an **Interlock ransomware** intrusion after it kept a compromised server active for **more than a week** and enabled **data theft**. It...

Open Happening

A0Backdoor malware deployed through signed MSI sideloading and DNS MX C2

Malware Activity
First: 10.03.2026 00:50 Last: 10.03.2026 00:50 Sources 1

About this happening: The **A0Backdoor** malware was deployed on **Windows endpoints** through **digitally signed MSI installers** and **DLL sideloading**, giving the operators a stealthier path to exe...

Open Happening

Python-based malware deployment with XWorm and Cobalt Strike tooling

Malware Activity
First: 23.02.2026 17:30 Last: 23.02.2026 17:30 Sources 1

About this happening: A **Python-based malware deployment** was uncovered on a **compromised Windows system**, exposing persistence, obfuscation, and credential-theft activity tied to **PayPal abuse**...

Open Happening

CRESCENTHARVEST Windows RAT and info-stealer activity

Malware Activity
First: 19.02.2026 10:13 Last: 19.02.2026 10:13 Sources 1

About this happening: The **CRESCENTHARVEST** malware activity centers on **version.dll**, a **Windows RAT and information stealer** that can execute commands, log keystrokes, and exfiltrate data. It m...

Open Happening

Timeline

  1. 16.02.2026 02:29 2 articles · 3mo ago

    Microsoft discloses ClickFix campaign using DNS to deliver PowerShell

    Initial Disclosure

    Microsoft describes a new ClickFix campaign in which victims are told to run nslookup in the Windows Run dialog box so a custom DNS lookup to 84[.]21.189[.]20 returns a malicious PowerShell payload, followed by additional malware staging, persistence through %APPDATA%\WPy64-31401\python\script.vbs and %STARTUP%\MonitoringService.lnk, and deployment of the remote access trojan ModeloRAT for remote control of compromised systems.

    Show sources
    Open in new tab