DNS-based staging via ClickFix represents tactical evolution.

Per Microsoft:
• Cmd.exe → nslookup execution
• Hardcoded external DNS resolver
• Payload embedded in DNS Name: response
• ZIP retrieval from azwsappdev[.]com
• Python-based reconnaissance
• VBScript persistence via Startup LNK
• ModeloRAT deployment
• Lumma Stealer distribution via CastleLoader (GrayBravo)

Campaign telemetry also discussed by Bitdefender and Kaspersky.

DNS offers:
• Reduced dependency on HTTP
• Traffic blending with legitimate queries
• Lightweight validation signaling

Detection priorities:
• Anomalous nslookup patterns
• External DNS resolver usage
• Suspicious Startup LNK creation
• DNS response content inspection

Is your EDR correlating DNS queries with process lineage?
Engage below.
Follow @technadu for advanced threat analysis.

#ThreatIntel #ClickFix #DNSStaging #ModeloRAT #LummaStealer #CastleLoader #DetectionEngineering #BlueTeam #SOC #Infosec #CyberOperations #MalwareAnalysis

It's been a busy 24 hours in the cyber world with significant updates on the evolving "ClickFix" social engineering tactic, showing how attackers are getting creative with initial access and payload delivery. Let's take a look:

Evolving ClickFix Attacks: DNS Staging and Crypto Hijacks ⚠️

- Microsoft has detailed a new DNS-based ClickFix variant where victims are tricked into running `nslookup` commands, using DNS as a stealthy staging channel for payloads like ModeloRAT. This method blends malicious activity into normal network traffic, making detection harder.
- A separate, novel ClickFix campaign is leveraging Pastebin comments and Google Docs to socially engineer cryptocurrency users into executing malicious JavaScript directly in their browser. This allows attackers to hijack Bitcoin swap transactions and redirect funds to their wallets.
- These incidents highlight the evolving nature of ClickFix, moving beyond traditional OS-level command execution to sophisticated DNS staging and direct browser manipulation for financial theft, underscoring the critical need for user awareness and robust detection of procedural trust abuse.

📰 The Hacker News | https://thehackernews.com/2026/02/microsoft-discloses-dns-based-clickfix.html
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/pastebin-comments-push-clickfix-javascript-attack-to-hijack-crypto-swaps/

#CyberSecurity #ThreatIntelligence #SocialEngineering #ClickFix #Malware #ModeloRAT #LummaStealer #CryptoScam #InfoSec #CyberAttack #IncidentResponse

New Clickfix variant ‘CrashFix’ deploying Python Remote Access Trojan - https://www.redpacketsecurity.com/new-clickfix-variant-crashfix-deploying-python-remote-access-trojan/

#threatintel
#crashfix
#clickfix
#modelorat
#python-payload
#browser-extension

📣 🚨 #KongTuke hacker group cloned a #Chrome ad blocker to trick users into installing spyware which also launched DoS attacks, crashed browsers, and dropped ModeloRAT.

Read: https://hackread.com/clickfix-crashfix-kongtuke-fake-chrome-ad-blocker-modelorat/

#CyberSecurity #Malware #ModeloRAT #ClickFix #CrashFix