In a significant cybersecurity disclosure, Microsoft has shed light on an evolved version of the notorious ClickFix social engineering tactic. This latest iteration leverages Domain Name System (DNS) lookups, specifically the nslookup
command, to retrieve next-stage malware payloads, marking a sophisticated shift in how threat actors bypass conventional security measures.
The Evolving Threat of ClickFix
ClickFix is a pervasive social engineering technique that preys on user trust, often delivered through phishing, malvertising, or drive-by downloads. Victims are typically redirected to deceptive landing pages featuring fake CAPTCHA verifications or instructions to resolve non-existent computer issues. The core of the attack lies in tricking users into manually executing commands via the Windows Run dialog or macOS Terminal, inadvertently infecting their own systems.
This method has proven remarkably effective over the past two years, enabling attackers to circumvent security controls by having victims initiate the infection process themselves. Its success has led to numerous variants, including FileFix, JackFix, ConsentFix, CrashFix, and GlitchFix, each a testament to its adaptability and danger.
DNS as a Stealthy Staging Channel
How the New DNS-Based ClickFix Works
The Microsoft Threat Intelligence team detailed the mechanics of this novel DNS-based staging. “In the latest DNS-based staging using ClickFix, the initial command runs through
cmd.exe and performs a DNS lookup against a hard-coded external DNS server, rather than the system’s default resolver,” Microsoft explained on X. The crucial step involves filtering the DNS response to extract the Name: field, which then executes as the second-stage payload.
This innovative approach utilizes DNS as a “lightweight staging or signaling channel,” allowing threat actors to communicate with their infrastructure and establish an additional validation layer before deploying the final payload. Microsoft emphasized that “Using DNS in this way reduces dependency on traditional web requests and can help blend malicious activity into normal network traffic,” making detection significantly more challenging.
The ModeloRAT Attack Chain
Once the initial DNS-based payload is retrieved, it triggers a multi-stage attack. This chain involves downloading a ZIP archive from an external server (e.g., azwsappdev[.]com
). Inside, a malicious Python script is extracted and executed, performing reconnaissance, running discovery commands, and ultimately dropping a Visual Basic Script (VBScript). This VBScript is responsible for launching ModeloRAT, a Python-based remote access trojan previously associated with CrashFix campaigns.
To ensure persistent access, the malware creates a Windows shortcut (LNK) file pointing to the VBScript within the Windows Startup folder. This guarantees that ModeloRAT automatically launches every time the operating system boots, maintaining a foothold on the compromised system.
The Lumma Stealer Connection: CastleLoader and Procedural Trust
Adding another layer of concern, Bitdefender has simultaneously reported a surge in Lumma Stealer activity, largely fueled by ClickFix-style fake CAPTCHA campaigns. These campaigns deploy an AutoIt-version of CastleLoader, a malware loader linked to the threat actor GrayBravo (formerly TAG-150).
CastleLoader is designed with evasion in mind, incorporating checks for virtualization software and specific security programs before decrypting and launching the Lumma Stealer malware in memory. Beyond ClickFix, CastleLoader-based attacks often lure victims through websites offering cracked software and pirated movies, tricking them into downloading rogue installers or executables disguised as legitimate media files.
Other CastleLoader campaigns have been observed using fake NSIS installers, which execute obfuscated VBA scripts before loading Lumma Stealer via an AutoIt script. These VBA loaders also establish persistence through scheduled tasks.
Despite significant law enforcement efforts, Lumma Stealer operations have demonstrated remarkable resilience, rapidly adapting to new hosting providers and delivery techniques. Bitdefender highlights CastleLoader’s central role in the widespread dissemination of Lumma Stealer.
Intriguingly, a domain within CastleLoader’s infrastructure (testdomain123123[.]shop) was identified as a Lumma Stealer command-and-control (C2) server, suggesting potential collaboration or shared resources between the operators of these two malware families. Lumma Stealer infections are globally distributed, with India, France, the U.S., Spain, Germany, Brazil, Mexico, Romania, Italy, and Canada being among the most affected regions.
Why ClickFix Remains Effective
Bitdefender aptly summarizes the enduring success of ClickFix: “The effectiveness of ClickFix lies in its abuse of procedural trust rather than technical vulnerabilities.” The malicious instructions are often framed to resemble common troubleshooting steps or verification workarounds, making them appear legitimate to unsuspecting users. This psychological manipulation leads victims to manually execute arbitrary code, bypassing security layers that would otherwise prevent such actions.
It’s also worth noting that CastleLoader isn’t the sole distributor of Lumma Stealer. Campaigns dating back to March 2025 have also utilized another loader, dubbed RenEngine Loader, further illustrating the diverse and persistent nature of these threats.
For more details, visit our website.
Source: Link
Leave a comment