ClickFix Attacks Abuses DNS Lookup Command to Deliver ModeloRAT

Summary

Microsoft and security researchers have observed ClickFix campaigns switching tactics to abuse the built-in nslookup DNS lookup command to deliver ModeloRAT, a Python-based remote access Trojan for Windows. Instead of using PowerShell or mshta, attackers now coax victims into running a crafted nslookup that parses DNS response text to retrieve instructions and the next-stage payload. The infection chain observed downloads a ZIP, extracts a malicious Python script, drops a Visual Basic Script, and ultimately runs ModeloRAT to give attackers hands-on control of infected machines.

The attacks start with social-engineering pages that present fake CAPTCHAs or urgent prompts, tricking users into copy-pasting commands from the browser. By moving to DNS lookups, attackers reduce reliance on web requests and blend activity into normal network traffic, evading traditional security controls that block obvious living-off-the-land commands like PowerShell.

Key Points

Attackers now abuse nslookup to embed instructions in DNS responses and drive the next-stage payload retrieval.
The observed chain: malicious nslookup > ZIP download > Python script extraction > VBS drop > ModeloRAT execution.
Social engineering (fake CAPTCHAs, fake updates, countdowns) convinces users to paste commands into their systems, causing self-infection.
Using DNS reduces dependence on HTTP(S) and helps attackers blend into normal network traffic, evading some defences.
Basic user-hygiene mitigations—don’t copy-paste commands from web pages, verify instructions, and slow down when prompted—remain effective risk reducers.

Context and relevance

This evolution is part of a wider trend where adversaries pivot to abusing trusted OS tools and protocols (so-called living-off-the-land techniques) to get past detection. DNS has long been used for data exfiltration and C2, but embedding execution instructions in DNS responses is a notable twist that raises the bar for defenders. Organisations with remote or less-privileged users are particularly at risk, since the attack relies heavily on social engineering rather than zero-day exploits.

For security teams this matters because it shows attackers will keep shifting to less-monitored channels. Detection strategies should therefore include DNS-monitoring, stricter controls on script execution, and user-facing defences such as education campaigns and disabling unnecessary client-side tools where feasible.

Why should I read this?

Short version: it’s sneaky and it works. Attackers are using your own DNS tool as a courier for malware, and they trick people into running the command. If you look after users, endpoints or networks, knowing this trick could stop a breach. Read the bits on the infection chain and the simple mitigations — they’re the bits you can act on fast.

Author style

Punchy: this isn’t subtle — it’s a clear escalation in evasion tactics. The article flags an actionable change in attacker behaviour that should prompt immediate review of DNS monitoring, user guidance, and copy-paste practices across your estate.

Source

Source: https://www.darkreading.com/endpoint-security/clickfix-attacks-dns-lookup-command-modelorat