malware🌐InternationalSecurity Affairs
Microsoft Alerts on DNS-Based ClickFix Variant Delivering ModeloRAT
Monday, February 16, 2026
What
A new ClickFix variant deceives users into running a malicious `nslookup` command through the Windows Run dialog to retrieve a second-stage payload via DNS. This innovative approach leverages DNS as a covert channel for payload delivery and signaling, making detection more challenging by blending malicious activity with normal network traffic.
Where
Windows systems globally are targeted.
When
Disclosed by Microsoft on February 13, 2026.
Key Factors
- •The ClickFix variant exploits DNS queries by having users execute `nslookup` against a hard-coded external server, parsing the `Name:` response for the next-stage payload.
- •This DNS-based staging acts as a lightweight signaling channel, allowing attackers to deliver payloads and add validation steps while reducing reliance on traditional web requests.
- •The final payload is ModeloRAT, a Python-based Remote Access Trojan, which establishes persistence by creating a shortcut in the Windows Startup folder.
Takeaways
- →Educate users on the dangers of executing unknown commands, especially those involving `nslookup` or appearing in unexpected dialogs.
- →Implement advanced DNS monitoring and filtering to detect anomalous DNS queries to non-standard or suspicious external servers.
Read Full Article
Opens original article on Security Affairs
