malware🌐InternationalBleepingComputer
ClickFix Attack Abuses DNS for PowerShell Payload Delivery
Monday, February 16, 2026
What
Threat actors are now using a novel ClickFix attack variant that abuses DNS lookups to deliver malicious PowerShell scripts, marking a significant evolution in their evasion tactics. This technique allows for dynamic payload modification and blends with normal network traffic, making detection more challenging.
Where
Windows systems are targeted, with the campaign observed by Microsoft Defender researchers.
When
Disclosed on February 15, 2026.
Key Factors
- •The attack instructs victims to run an `nslookup` command that queries an attacker-controlled DNS server to receive the second-stage payload.
- •The DNS response's 'NAME:' field contains a malicious PowerShell script which is then executed to download further malware.
- •The final payload is the ModeloRAT remote access trojan, establishing persistence and enabling remote control of compromised systems.
Takeaways
- →Educate users on the dangers of executing unfamiliar commands, especially those involving `nslookup` or custom DNS servers, even when prompted by seemingly legitimate error messages.
- →Implement robust endpoint detection and response (EDR) solutions capable of monitoring DNS queries and PowerShell script execution for anomalous behavior.
Read Full Article
Opens original article on BleepingComputer
