Find notable cyber news and cases, enriched with sources, timelines, and signals.

ClickFix nslookup-delivered ModeloRAT activity

Malware Activity
First reported
Last updated
Happening score
H score 24
1 unique sources, 1 articles

Summary

Hide ▲

The ClickFix infection chain now uses nslookup to deliver ModeloRAT, increasing the chance that Windows users will self-infect and hand attackers remote control. The updated method replaces older PowerShell and mshta abuse and helps malicious traffic blend into normal DNS activity. Microsoft said the activity has been ongoing since 2024 and was observed last week. The payload chain can end with hands-on access to compromised machines.

Related Happenings

StealC and Amadey infostealer infrastructure disruption

Malware Activity
H score69 First: 24.06.2026 18:25 Last: 24.06.2026 18:25 Sources 1

About this happening: **StealC** and **Amadey** malware infrastructure was disrupted in **Operation Endgame**, cutting off the command-and-control services used to manage infected systems. Europol said...

Backdoor.Turn Microsoft Teams TURN relay malware activity

Malware Activity
H score29 First: 16.06.2026 13:18 Last: 16.06.2026 13:18 Sources 1

About this happening: **Backdoor.Turn** is a **Go-based RAT** tied to **DragonForce ransomware** operators that hid command-and-control traffic through **Microsoft Teams TURN relay infrastructure** dur...

Fox Tempest's malware-signing service scales trusted-signed malware for ransomware gangs

Threat Actor Meta
H score26 First: 20.05.2026 00:47 Last: 20.05.2026 00:47 Sources 1

About this happening: Microsoft disrupted **Fox Tempest**'s **malware-signing service** in **May 2026**, cutting off a criminal platform that helped ransomware gangs and other cybercriminals obtain tru...

Microsoft civil action against Fox Tempest infrastructure takedown

Regulatory/Legal Action
H score24 First: 19.05.2026 18:00 Last: 19.05.2026 18:00 Sources 1

About this happening: Microsoft filed a **civil action** against **Fox Tempest** in the **US District Court for the Southern District of New York**, securing a **court order** that enabled a broad disr...

Node-ipc malicious versions with stealer/backdoor payload

Malware Activity
H score34 First: 14.05.2026 20:22 Last: 14.05.2026 20:22 Sources 1

About this happening: Three **node-ipc** releases now carry an **obfuscated stealer/backdoor** that can harvest **developer and cloud secrets** from any system that loads the package. The malicious cod...

Timeline

  1. 17.02.2026 19:03 2 articles · 4mo ago

    ClickFix shifts to nslookup for ModeloRAT delivery

    Technical Analysis Update

    Microsoft observed ClickFix activity that uses nslookup instead of PowerShell or mshta to trigger a custom DNS lookup, fetch a ZIP archive, extract a malicious Python script, drop a Visual Basic Script, and execute ModeloRAT on Windows machines. Malwarebytes Labs described the same nslookup abuse as a way to smuggle instructions and malware through DNS while attackers keep using the fake CAPTCHA ClickFix lure and browser-delivered commands.

    Show sources