Hackers Use DNS To Deliver ClickFix Malware

Microsoft Threat Intelligence reports that attackers behind ClickFix social-engineering campaigns are now using DNS responses as a primary delivery channel, instructing victims to run an nslookup command that returns a PowerShell script in the DNS 'Name' field. The script downloads a Python runtime and installs ModelRAT, achieving persistence via startup files. Researchers note related variants like ConsentFix and Pastebin-distributed ClickFix, signaling evolving, cross-platform tactics.
Key Points
- 1Use DNS responses to deliver PowerShell scripts and Python runtime, executed via nslookup Run command
- 2Enable real-time payload updates and stealth by hiding code in DNS name fields, evading HTTP detection
- 3Require defenders to monitor DNS anomalies and restrict nslookup use, block malicious DNS servers
Scoring Rationale
High novelty and actionable guidance from Microsoft bolster credibility, but limited scope and shallow technical depth reduce broader impact.
Sources
Public references used for this report.
Practice interview problems based on real data
1,625 SQL & Python problems across 15 industry datasets — the exact type of data you work with.
Try 250 free problems