A new evolution of the ClickFix social engineering campaign has emerged, introducing a stealthy DNS-based staging technique to deploy malware while evading traditional security detection.
Security researchers have identified a variant that manipulates DNS lookups as part of the infection chain, transforming ordinary network traffic into a covert malware delivery channel.
How the ClickFix Campaign Works
ClickFix attacks rely heavily on social engineering. Victims are tricked into believing there is a technical issue with their system through:
- Fake CAPTCHA verification errors
- Bogus “Fix this issue” prompts
- Simulated browser crash messages
- Malicious pop-ups on compromised websites
Earlier versions, including CrashFix, used urgency tactics such as fake browser crashes. However, this latest version adopts a more technical and stealth-oriented approach.
Instead of immediately downloading malware, victims are instructed to:
- Copy a provided script
- Paste it into the Windows Run dialog or PowerShell
- Execute the command themselves
By convincing users to initiate the attack manually, the campaign bypasses many automated defenses.
The New DNS Hijacking Technique
The standout feature of this new ClickFix variant is its abuse of the Domain Name System (DNS).
Once the victim executes the malicious command:
- The script launches cmd.exe
- It performs a DNS lookup against an attacker-controlled server
- Instead of using the system’s default resolver, it queries a specific external domain
Here’s where it gets clever.
The script extracts the “Name:” field from the DNS response. However, this field does not contain a legitimate hostname. Instead, it embeds encoded instructions — the second-stage malware payload.
The system immediately executes this embedded code.
This transforms DNS into a lightweight staging channel that:
- Verifies that the target is active
- Delivers payload instructions dynamically
- Avoids downloading obvious malicious binaries upfront
Because DNS traffic is present in virtually every network environment, it blends seamlessly with normal operations, significantly reducing detection likelihood.
Second-Stage Payload and Python Deployment
Researchers from Microsoft Defender observed that after the DNS stage:
- A ZIP file is downloaded
- The archive contains a portable Python runtime bundle
- A malicious Python script is executed
The Python-based malware performs:
- Host reconnaissance
- Domain environment mapping
- System profiling
This information allows attackers to assess the compromised system before deploying heavier payloads.
Persistence Mechanisms
To maintain access, the malware establishes persistence using classic Windows techniques:
- Drops a malicious VBScript file
- Creates a shortcut named
MonitoringService.lnk - Places it inside the Windows Startup folder
This ensures the malware executes automatically each time the system reboots.
Final Payload: ModeloRAT
The final stage of the attack deploys a Remote Access Trojan (RAT) identified as ModeloRAT.
This RAT enables attackers to:
- Execute remote commands
- Exfiltrate data
- Maintain long-term control over the system
- Move laterally across networks
Microsoft Defender Antivirus detects this campaign under the signature:
Trojan:Win32/ClickFix.R!ml
Why This Attack Is Dangerous
This evolution of ClickFix represents a significant shift in attacker tradecraft:
- ✅ Uses DNS as a covert command channel
- ✅ Blends with legitimate traffic
- ✅ Requires user execution (bypasses automated sandboxing)
- ✅ Deploys Python-based modular payloads
- ✅ Establishes reliable persistence
By abusing trusted protocols and leveraging social engineering, attackers reduce their visibility while maintaining flexibility in payload delivery.
How to Protect Against DNS-Based Malware Campaigns
Organizations should implement:
- DNS traffic monitoring and anomaly detection
- Endpoint detection and response (EDR) solutions
- Blocking of unsigned PowerShell and script execution
- User awareness training against “copy-paste fix” scams
- Monitoring Startup folder modifications
Security teams should also inspect unusual DNS responses containing suspicious or encoded data in response fields.
Final Thoughts
The latest ClickFix variant demonstrates how threat actors continuously refine techniques to evade detection. By converting DNS into a stealth staging mechanism, attackers are turning one of the internet’s most trusted protocols into a malware delivery channel.
As cybercriminal campaigns grow more sophisticated, proactive monitoring and user education remain critical defensive layers.
