Microsoft Reveals DNS-Based ClickFix Attack Using Nslookup for Malware Staging

Microsoft has disclosed details of a new version of the ClickFix social engineering tactic where attackers trick unsuspecting users into running commands that perform a Domain Name System (DNS) lookup to find the next stage payload.

Specifically, the attack relies on using the “nslookup” command (short for nameserver lookup) to perform a custom DNS lookup launched through the Windows Run box.

ClickFix is ​​a very popular method often delivered by phishing, malfeasance, or drive-by download schemes, which often redirects targets to fake landing pages that hold false CAPTCHA verification or troubleshooting instructions that are not on their computers by using a command through the Windows Run dialog box or the macOS Terminal application.

The attack method has become widespread over the past two years as it relies on victims infecting their machines with malware, thus allowing malicious actors to bypass security controls. The functionality of ClickFix has been to reveal several variants, such as FileFix, JackFix, ConsentFix, CrashFix, and GlitchFix.

“In the latest DNS-based platform using ClickFix, the first command goes through cmd.exe and performs a DNS lookup against a hard-coded external DNS server, rather than the system’s default resolver,” the Microsoft Threat Intelligence team said in a series of posts on X. “The output is filtered to extract the `Name:` ​​DNS response which is loaded as a secondary payload.”

Microsoft said that this new version of ClickFix uses DNS as a “lightweight or signaling channel,” which allows a threat actor to access infrastructure under its control, and set up a new layer of authentication before releasing the second-tier payload.

“Using DNS in this way reduces dependency on traditional web applications and can help integrate malicious activity into normal network traffic,” the Windows maker said.

The downloaded payload starts an attack chain that leads to control of the ZIP archive on an external server (“azwsappdev[.]com”).

For persistence, a Windows shortcut (LNK) file that points to VBScript is created in the Windows Startup folder so that the malware is automatically launched every time the application is started.

The disclosure comes as Bitdefender has warned of increased Lumma Stealer activity, driven by ClickFix-style phishing campaigns using the AutoIt version of CastleLoader, a malware loader associated with a threat actor called GreyBravo (formerly TAG-150).

CastleLoader includes checks for the presence of virtualization software and certain security programs before decrypting and introducing memory-stealing malware. Besides ClickFix, websites that advertise cracked software and pirated movies act as bait for CastleLoader-based attack chains, tricking users into downloading malicious or executable installers masquerading as MP4 media files.

Some CastleLoader campaigns also promoted websites offering cracked software downloads as a starting point for distributing a fake NSIS installer that also uses obfuscated VBA scripts before running the AutoIt script that loads Lumma Stealer. The VBA loader is designed to execute programmed functions responsible for ensuring persistence.

“Despite significant efforts to disrupt the law in 2025, Lumma Stealer’s activities have continued, showing resilience by quickly moving to new host providers and adapting alternative upload and delivery methods,” the Romanian cybersecurity firm said. “At the heart of these campaigns is CastleLoader, which plays a key role in helping LummaStealer spread through supply chains.”

Interestingly, one of the domains in the CastleLoader infrastructure (“testdomain123123[.]shop”) is marked as Lumma Stealer command-and-control (C2), indicating that the operators of the two malware families are working together or sharing service providers. The majority of Lumma Stealer infections have been recorded in India, followed by France, the US, Spain, Germany, Brazil, Mexico, Romania, Italy, and Canada.

“The effectiveness of ClickFix lies in its abuse of process trust rather than a technical vulnerability,” Bitdefender said. “The instructions are similar to troubleshooting steps or authentication methods that users may have encountered before. As a result, victims often fail to realize that they are running malicious code on their system.”

CastleLoader is not the only loader used to distribute Lumma Stealer. Campaigns seen as early as March 2025 used another loader called RenEngine Loader, with malware distributed in anticipation of game cheating and compromised software such as CorelDRAW graphics editor. In this attack, the loader makes way for a second loader called the Hijack Loader, and releases the Lumma Stealer.

According to data from Kaspersky, the RenEngine Loader attack mainly affected users in Russia, Brazil, Turkey, Spain, Germany, Mexico, Algeria, Egypt, Italy, and France as of March 2025.

The development coincides with the emergence of various campaigns using social engineering tools, including ClickFix, to deliver a variety of thieves and malware –

• A macOS campaign that used phishing and deception tactics to deliver Odyssey Stealer, a remake of Poseidon Stealer, itself a fork of Atomic macOS Stealer (AMOS). The hacker extracts information and data from 203 browser wallet extensions and 18 desktop wallet applications to facilitate cryptocurrency theft.
• “Apart from data theft, Odyssey functions as a full-fledged remote access trojan,” Censys said. “LaunchDaemon persistently polls C2 every 60 seconds for commands, supports arbitrary shell execution, reinstallation, and a SOCKS5 proxy to siphon traffic through victim machines.”
• The ClickFix attack chain targeting Windows systems uses fake CAPTCHA authentication pages on legitimate-but-compromised websites to trick users into running PowerShell commands that install the StealC hacker.
• An email phishing campaign that uses a malicious SVG file contained within a password-protected ZIP archive to instruct the victim to run a PowerShell command using ClickFix, leading to the exploitation of an open source .NET infostealer called Stealerium.
• A campaign that takes advantage of the public sharing feature of artificial intelligence (AI) generating services (AI) such as Anthropic Claude to install malicious ClickFix instructions on how to perform various tasks on macOS (eg, “online DNS resolver”), and distributes these links through sponsored results on search engines such as Google to release Atomic Stealer and MacSync Stealer.
• A campaign that directs users to search for “macOS cli disk space analyzer” in a fake Medium article impersonating the Apple Support Team to trick them into using ClickFix instructions delivers the next stage’s stolen payloads from an external server “raxelpak[.]com.”
• “C2 raxelpak domain[.]com has a URL history going back to 2021, when it appears to host an e-commerce site for safety clothing,” said MacPaw’s Moonlock Lab. “The domain was either stolen or expired and re-registered [threat actor] is unclear, but consistent with a broader pattern of using old domains and existing reputations to avoid detection.”
• A variation of the same campaign included sections of ClickFix instructions to install Homebrew on links associated with Claude and Evernote with sponsored results to install stealthy malware.
• “The ad shows a real, well-known domain (claude.ai), not a fake website or site,” AdGuard said. “Clicking on the ad leads to Claude’s original page, not a phishing copy. The result is clear: Google ads + a well-known and trusted platform + technical users with a high downstream effect = a powerful vector for the spread of malware.”
• A macOS email phishing campaign that encourages recipients to download and use an AppleScript file to deal with issues that claim to be interactive, leading to the release of another AppleScript designed to steal credentials and return additional JavaScript payloads.
• “The malware does not grant permissions itself; instead, it spoofs TCC approval of trusted Apple-signed binaries (Terminal, osascript, Script Editor, and bash) and performs malicious actions on these binaries to gain their permissions,” Darktrace said.
• A ClearFake campaign that uses fake CAPTCHA strings on compromised WordPress sites to trigger the execution of an HTML Application (HTA) file and feed the Lumma Stealer. The campaign is also known to use malicious JavaScript injections to use a technique known as EtherHiding to execute a contract held on the BNB Smart Chain and download anonymous payments hosted on GitHub.
• EtherHiding offers attackers several advantages, allowing malicious traffic to intermingle with legitimate Web3 activity. Because blockchain is immutable and decentralized, it provides more resilience in the face of hacking attempts.

A recent analysis published by Flare found that threat actors are increasingly targeting Apple macOS with infostealers and sophisticated tools.

“Almost all macOS thieves prioritize stealing cryptocurrency above all else,” the company said. “This laser focus reflects an economic reality. Cryptocurrency users disproportionately use Macs. They often hold significant amounts in software wallets. Unlike bank accounts, crypto transactions are irreversible. When seed phrases are compromised, funds disappear forever without recourse.”

“The assumption that ‘Macs don’t get viruses’ is not only outdated but very dangerous. Organizations with Mac users need the ability to detect macOS-specific TTPs: unsigned apps that request passwords, random Terminal activity, connections to blockchain nodes for non-financial purposes, and data filtering patterns that target Keychain and browser storage.”