Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

ClickFix nslookup-delivered ModeloRAT activity

Malware Activity
First reported
Last updated
Happening score
H score 28
1 unique sources, 1 articles

Summary

Hide ▲

The ClickFix infection chain now uses nslookup to deliver ModeloRAT, increasing the chance that Windows users will self-infect and hand attackers remote control. The updated method replaces older PowerShell and mshta abuse and helps malicious traffic blend into normal DNS activity. Microsoft said the activity has been ongoing since 2024 and was observed last week. The payload chain can end with hands-on access to compromised machines.

Related Happenings

Fox Tempest's malware-signing service scales trusted-signed malware for ransomware gangs

Threat Actor Meta
First: 20.05.2026 00:47 Last: 20.05.2026 00:47 Sources 1

About this happening: Microsoft disrupted **Fox Tempest**'s **malware-signing service** in **May 2026**, cutting off a criminal platform that helped ransomware gangs and other cybercriminals obtain tru...

Open Happening

Microsoft civil action against Fox Tempest infrastructure takedown

Regulatory/Legal Action
First: 19.05.2026 18:00 Last: 19.05.2026 18:00 Sources 1

About this happening: Microsoft filed a **civil action** against **Fox Tempest** in the **US District Court for the Southern District of New York**, securing a **court order** that enabled a broad disr...

Open Happening

Node-ipc malicious versions with stealer/backdoor payload

Malware Activity
First: 14.05.2026 20:22 Last: 14.05.2026 20:22 Sources 1

About this happening: Three **node-ipc** releases now carry an **obfuscated stealer/backdoor** that can harvest **developer and cloud secrets** from any system that loads the package. The malicious cod...

Open Happening

KongTuke Microsoft Teams initial access campaign

Campaign
First: 14.05.2026 15:12 Last: 14.05.2026 15:12 Sources 1

About this happening: The **KongTuke** campaign now uses **Microsoft Teams** social engineering to gain persistent access to **corporate networks**, shortening initial compromise to **under five minute...

Open Happening

ModeloRAT malicious PowerShell and Dropbox delivery activity

Malware Activity
First: 14.05.2026 15:12 Last: 14.05.2026 15:12 Sources 1

About this happening: The **ModeloRAT** activity now uses a **malicious PowerShell command** and a **Dropbox ZIP payload** to gain persistent footholds, enabling **system reconnaissance**, **screenshot...

Open Happening

Timeline

  1. 17.02.2026 19:03 2 articles · 3mo ago

    ClickFix shifts to nslookup for ModeloRAT delivery

    Technical Analysis Update

    Microsoft observed ClickFix activity that uses nslookup instead of PowerShell or mshta to trigger a custom DNS lookup, fetch a ZIP archive, extract a malicious Python script, drop a Visual Basic Script, and execute ModeloRAT on Windows machines. Malwarebytes Labs described the same nslookup abuse as a way to smuggle instructions and malware through DNS while attackers keep using the fake CAPTCHA ClickFix lure and browser-delivered commands.

    Show sources
    Open in new tab