Microsoft Discloses DNS-Based ClickFix Attack Using Nslookup for Malware Staging

akid95
2 days ago
3 min read

Microsoft and other security leaders sounded the alarm on a dangerous evolution of the ClickFix campaign. This tactic, which first appeared in 2024, tricks users into manually running malicious commands under the guise of "fixing" a website error or passing a security check. The latest version is far more aggressive and harder to spot which is it doesn't just wait for an error to happen and it creates one. By intentionally crashing a user's browser, hackers create a moment of frustration and urgency, then offer a "one-click fix" that actually hands over total control of the computer to the attackers.

The Innovation: Hiding in Internet "Background Noise"

The most significant change in 2026 is how these hackers hide their tracks. Instead of downloading a virus from a suspicious website which most security software would block, they use DNS, the basic system that translates web addresses into IP addresses. By hiding their malicious code inside "TXT records" (a routine part of DNS traffic), they can sneak their payload into a company's network disguised as normal internet "chatter." They even abuse a legacy Windows tool called finger.exe (originally for finding user info) to fetch their viruses on old-fashioned ports that many modern firewalls simply ignore.

The Attack: How "CrashFix" Traps a User

The trap often begins with a fake browser extension, such as a counterfeit version of uBlock Origin Lite. Once installed, it waits silently for an hour before intentionally freezing the browser. When the user relaunches it, a professional-looking "CrashFix" window pops up, claiming there's a security issue and providing instructions to "Fix It." The user is told to press a keyboard shortcut (Win+R) and paste a command from their clipboard. Because the user is following "repair" instructions for a real crash they just experienced, they are much more likely to trust the process which is unknowingly pasting a command that reaches out to the hacker’s DNS server to pull down a hidden virus called ModeloRAT.

The Fallout: Targeted Attacks on Business

This isn't just a problem for home users. The 2026 ClickFix campaign "plays favorites," identifying when a computer belongs to a large corporation or bank. While home users might get annoying ads, corporate employees are served high-level spy tools designed to steal company files and banking credentials. This has already led to successful attacks on financial executives and the theft of private cryptocurrency keys. Because the attack is "fileless" which means it runs entirely in the computer's memory without saving a malicious file to the hard drive and traditional antivirus programs often miss it entirely.

Protecting Your Organization

Defending against ClickFix requires a mix of technical blocks and employee training. Organizations should treat any request to manually "paste and run" a command as a massive red flag.

For IT Teams: The most effective defense is disabling the Windows "Run" dialog for regular employees. If they can't open that box, the attack fails. You should also block outbound traffic on "Port 79" (the Finger protocol) and monitor your DNS logs for unusually large or strange-looking text responses.
For Employees: Remember that no legitimate website or browser extension will ever ask you to copy and paste a command into a Windows box to fix an error. If your browser crashes and immediately offers a "manual fix" via a command, it is a trap.
Security Upgrades: Switching to Passkeys or physical security keys can stop hackers from using stolen session tokens, as these modern locks are tied directly to your physical device.