DNS-based staging via ClickFix represents tactical evolution.

Per Microsoft:
• Cmd.exe → nslookup execution
• Hardcoded external DNS resolver
• Payload embedded in DNS Name: response
• ZIP retrieval from azwsappdev[.]com
• Python-based reconnaissance
• VBScript persistence via Startup LNK
• ModeloRAT deployment
• Lumma Stealer distribution via CastleLoader (GrayBravo)

Campaign telemetry also discussed by Bitdefender and Kaspersky.

DNS offers:
• Reduced dependency on HTTP
• Traffic blending with legitimate queries
• Lightweight validation signaling

Detection priorities:
• Anomalous nslookup patterns
• External DNS resolver usage
• Suspicious Startup LNK creation
• DNS response content inspection

Is your EDR correlating DNS queries with process lineage?
Engage below.
Follow @technadu for advanced threat analysis.

#ThreatIntel #ClickFix #DNSStaging #ModeloRAT #LummaStealer #CastleLoader #DetectionEngineering #BlueTeam #SOC #Infosec #CyberOperations #MalwareAnalysis

Once-hobbled #LummaStealer is back with lures that are hard to resist

https://arstechnica.com/security/2026/02/once-hobbled-lumma-stealer-is-back-with-lures-that-are-hard-to-resist/

#malware #Castleloader #Lumma #cybersecurity

👾 #CastleLoader thrives on silence: obfuscation, staged payloads, rotating infrastructure.

⚠️ 28.7% infection rate using #ClickFix + fake GitHub repos. Targets logistics, government, and developers.

See how SOCs can fight back: https://any.run/malware-trends/castleloader/?utm_source=mastodon&utm_medium=post&utm_campaign=castleloader_mtt&utm_term=020226&utm_content=linktomtt

🚨 #CastleLoader attacks government agencies, compromising up to 400 devices at once

Its unusual process hollowing via an AutoIt3 script is hard for EDR to detect. See the malware exposed in real time: https://app.any.run/tasks/f4f33499-21b9-4423-9ed5-4e156648a4c4/?utm_source=mastodon&utm_medium=post&utm_campaign=castleloader_case&utm_term=220126&utm_content=linktoservice

👨‍💻 Read the analysis: https://any.run/cybersecurity-blog/castleloader-malware-analysis/?utm_source=mastodon&utm_medium=post&utm_campaign=castleloader_case&utm_term=220126&utm_content=linktoblog

#cybersecurity #infosec

📢⚠️ A new CastleLoader variant linked to at least 469 infections, hitting US government agencies and critical sectors across Europe.

Read: https://hackread.com/castleloader-variant-infections-critical-sectors/

#CyberSecurity #Malware #CastleLoader #USGov #Europe

🚨 #CastleLoader attacks government agencies, compromising up to 400+ devices at once.

Its unusual process hollowing via an AutoIt3 script is hard for EDR to detect.

See full analysis with extracted runtime config, C2s, and #IOCs 👇
https://any.run/cybersecurity-blog/castleloader-malware-analysis/?utm_source=mastodon&utm_medium=post&utm_campaign=castleloader_malware_analysis&utm_term=130126&utm_content=linktoblog

#cybersecurity #infosec

CastleLoader malware, known for Clickfix related attack, has been upgraded with a stealthy Python loader that helps it slip past security defenses.

Read: https://hackread.com/castleloader-malware-python-loader-bypass-security/

#CyberSecurity #Malware #InfoSec #CastleLoader #ClickFix