ClickFix added nslookup commands to its arsenal for downloading RATs

• ClickFix uses fake CAPTCHAs and bogus updates to trick users into executing malicious commands. • Traditional mshta and PowerShell vectors are blocked, so attackers shifted to nslookup, a trusted network tool. • Attackers configure DNS responses to embed malicious commands or URLs within nslookup replies. • Victims copy the nslookup output to Run dialog or terminal, initiating download of a ZIP archive. • The archive contains a Python script that performs reconnaissance, then drops and runs ModeloRAT, a remote access trojan. • ModeloRAT gives attackers full control over infected Windows machines, highlighting the evolving use of legitimate tools for malware delivery.

Article Summaries:

• Cybercriminals behind the ClickFix malware campaign have introduced a new delivery technique that exploits the Windows nslookup utility to download a remote‑access trojan (ModeloRAT). By tricking victims into copying and running seemingly innocuous commands, attackers use nslookup to query a malicious DNS server that returns data containing a command to fetch a ZIP archive. The archive contains a Python script that performs reconnaissance and ultimately drops the ModeloRAT payload. This method bypasses common blocks on mshta and PowerShell, expanding ClickFix’s attack surface. Security experts advise users to verify commands, avoid copy‑paste from untrusted sites, and keep anti‑malware solutions up to date.

Sources:

• https://www.malwarebytes.com/blog/news/2026/02/clickfix-added-nslookup-commands-to-its-arsenal-for-downloading-rats