ClickFix nslookup-delivered ModeloRAT activity
Malware Activity
Summary
Hide ▲
Show ▼
The ClickFix infection chain now uses nslookup to deliver ModeloRAT, increasing the chance that Windows users will self-infect and hand attackers remote control. The updated method replaces older PowerShell and mshta abuse and helps malicious traffic blend into normal DNS activity. Microsoft said the activity has been ongoing since 2024 and was observed last week. The payload chain can end with hands-on access to compromised machines.
Related Happenings
StealC and Amadey infostealer infrastructure disruption
Malware Activity
H score69
First: 24.06.2026 18:25
Last: 24.06.2026 18:25
Sources 1
About this happening:
**StealC** and **Amadey** malware infrastructure was disrupted in **Operation Endgame**, cutting off the command-and-control services used to manage infected systems. Europol said...
StealC and Amadey infostealer infrastructure disruption
Malware ActivityAbout this happening: **StealC** and **Amadey** malware infrastructure was disrupted in **Operation Endgame**, cutting off the command-and-control services used to manage infected systems. Europol said...
Backdoor.Turn Microsoft Teams TURN relay malware activity
Malware Activity
H score29
First: 16.06.2026 13:18
Last: 16.06.2026 13:18
Sources 1
About this happening:
**Backdoor.Turn** is a **Go-based RAT** tied to **DragonForce ransomware** operators that hid command-and-control traffic through **Microsoft Teams TURN relay infrastructure** dur...
Backdoor.Turn Microsoft Teams TURN relay malware activity
Malware ActivityAbout this happening: **Backdoor.Turn** is a **Go-based RAT** tied to **DragonForce ransomware** operators that hid command-and-control traffic through **Microsoft Teams TURN relay infrastructure** dur...
Fox Tempest's malware-signing service scales trusted-signed malware for ransomware gangs
Threat Actor Meta
H score26
First: 20.05.2026 00:47
Last: 20.05.2026 00:47
Sources 1
About this happening:
Microsoft disrupted **Fox Tempest**'s **malware-signing service** in **May 2026**, cutting off a criminal platform that helped ransomware gangs and other cybercriminals obtain tru...
Fox Tempest's malware-signing service scales trusted-signed malware for ransomware gangs
Threat Actor MetaAbout this happening: Microsoft disrupted **Fox Tempest**'s **malware-signing service** in **May 2026**, cutting off a criminal platform that helped ransomware gangs and other cybercriminals obtain tru...
Microsoft civil action against Fox Tempest infrastructure takedown
Regulatory/Legal Action
H score24
First: 19.05.2026 18:00
Last: 19.05.2026 18:00
Sources 1
About this happening:
Microsoft filed a **civil action** against **Fox Tempest** in the **US District Court for the Southern District of New York**, securing a **court order** that enabled a broad disr...
Microsoft civil action against Fox Tempest infrastructure takedown
Regulatory/Legal ActionAbout this happening: Microsoft filed a **civil action** against **Fox Tempest** in the **US District Court for the Southern District of New York**, securing a **court order** that enabled a broad disr...
Node-ipc malicious versions with stealer/backdoor payload
Malware Activity
H score34
First: 14.05.2026 20:22
Last: 14.05.2026 20:22
Sources 1
About this happening:
Three **node-ipc** releases now carry an **obfuscated stealer/backdoor** that can harvest **developer and cloud secrets** from any system that loads the package. The malicious cod...
Node-ipc malicious versions with stealer/backdoor payload
Malware ActivityAbout this happening: Three **node-ipc** releases now carry an **obfuscated stealer/backdoor** that can harvest **developer and cloud secrets** from any system that loads the package. The malicious cod...
Timeline
-
17.02.2026 19:03 2 articles · 4mo ago
ClickFix shifts to nslookup for ModeloRAT delivery
Technical Analysis UpdateMicrosoft observed ClickFix activity that uses nslookup instead of PowerShell or mshta to trigger a custom DNS lookup, fetch a ZIP archive, extract a malicious Python script, drop a Visual Basic Script, and execute ModeloRAT on Windows machines. Malwarebytes Labs described the same nslookup abuse as a way to smuggle instructions and malware through DNS while attackers keep using the fake CAPTCHA ClickFix lure and browser-delivered commands.
Show sources
- ClickFix Attacks Abuses DNS Lookup Command to Deliver ModeloRAT — www.darkreading.com — 17.02.2026 19:03
- ClickFix Attacks Abuses DNS Lookup Command to Deliver ModeloRAT — www.darkreading.com — 17.02.2026 19:03