malware🌐InternationalHeise Security
New ClickFix Malware Variant Uses DNS for ModeloRAT Distribution
Monday, February 16, 2026
What
A novel ClickFix attack variant is actively distributing the ModeloRAT remote access trojan by exploiting DNS queries. This method tricks users into executing a seemingly harmless `nslookup` command, allowing attackers to embed malicious code within DNS responses, which then downloads and installs the RAT, evading standard security tools.
Where
Primarily targets Windows environments globally, as ClickFix attacks are social engineering based and ModeloRAT is a Windows RAT.
When
Recently disclosed by Microsoft's Threat-Intelligence-Team.
Key Factors
- •The attack leverages social engineering to persuade victims to execute a crafted `nslookup` command, which then processes DNS responses containing malicious code.
- •This technique allows for evasion of traditional malware detection because DNS traffic is typically considered benign and less scrutinized than other network protocols.
- •The multi-stage infection chain ultimately deploys ModeloRAT, a remote access trojan, establishing persistence via startup links in Windows environments.
Takeaways
- →Educate users on the dangers of copying and pasting commands from untrusted sources, even if they appear to solve a problem.
- →Implement advanced DNS monitoring and analysis to detect anomalous query patterns or suspicious data within DNS responses.
Read Full Article
Opens original article on Heise Security
