{"id":10413,"date":"2026-02-05T10:00:51","date_gmt":"2026-02-05T10:00:51","guid":{"rendered":"https:\/\/serisec.com\/index.php\/2026\/02\/05\/attackers-using-dns-txt-records-in-clickfix-script-to-execute-powershell-commands\/"},"modified":"2026-02-05T10:00:51","modified_gmt":"2026-02-05T10:00:51","slug":"attackers-using-dns-txt-records-in-clickfix-script-to-execute-powershell-commands","status":"publish","type":"post","link":"https:\/\/serisec.com\/index.php\/2026\/02\/05\/attackers-using-dns-txt-records-in-clickfix-script-to-execute-powershell-commands\/","title":{"rendered":"Attackers Using DNS TXT Records in ClickFix Script to Execute Powershell Commands"},"content":{"rendered":"<p>    Attackers Using DNS TXT Records in ClickFix Script to Execute Powershell Commands<br \/>\n \t<BR><br \/>\n<BR><\/BR><br \/>\n    <!-- no image --><br \/>\n \t<BR><br \/>\n<BR><\/BR><\/p>\n<div>\n<p>The cybersecurity landscape has darkened with the sophisticated evolution of the KongTuke campaign. Active since mid-2025, this threat actor group has continuously refined its techniques to bypass conventional enterprise security filters. <\/p>\n<p>Their primary weapon remains the \u201cClickFix\u201d strategy, a social engineering vector that deceives unsuspecting users into manually fixing simulated website errors.<\/p>\n<p>In these attacks, victims encounter fake browser glitches or verification captchas on compromised legitimate websites. <\/p>\n<p>Deceptive instructions prompt them to copy a malicious script and paste it directly into the Windows Run dialog or a PowerShell terminal. <\/p>\n<p>This \u201cself-infection\u201d method effectively bypasses automated download protections by leveraging the user\u2019s own system privileges to execute unauthorized code.<\/p>\n<p>However, a significant escalation in technical tradecraft has recently surfaced.\u00a0Unit 42 analysts <a href=\"https:\/\/x.com\/Unit42_Intel\/status\/2019121578718490869\" id=\"https:\/\/x.com\/Unit42_Intel\/status\/2019121578718490869\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">identified<\/a>\u00a0that the latest KongTuke iterations now employ DNS TXT records to stealthily mask their next stage. <\/p>\n<p>Instead of reaching out to a flagged <a href=\"https:\/\/cybersecuritynews.com\/hackers-deploy-z0miner-malware\/\" id=\"58842\" target=\"_blank\" rel=\"noreferrer noopener\">web server<\/a> via HTTP, the initial script queries a legitimate-looking domain\u2019s DNS records to retrieve malicious staging instructions from the record.<\/p>\n<figure class=\"wp-block-embed aligncenter is-type-rich is-provider-twitter wp-block-embed-twitter\">\n<div class=\"wp-block-embed__wrapper\">\n<div class=\"embed-twitter\">\n<blockquote class=\"twitter-tweet\" data-width=\"550\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\">We discovered the <a href=\"https:\/\/twitter.com\/hashtag\/KongTuke?src=hash&amp;ref_src=twsrc%5Etfw\">#KongTuke<\/a> campaign using <a href=\"https:\/\/twitter.com\/hashtag\/DNS?src=hash&amp;ref_src=twsrc%5Etfw\">#DNS<\/a> TXT records in its <a href=\"https:\/\/twitter.com\/hashtag\/ClickFix?src=hash&amp;ref_src=twsrc%5Etfw\">#ClickFix<\/a> script. These DNS TXT records staged a command to retrieve and run a PowerShell script. We continue to monitor ClickFix campaigns for any future occurrences. Details at <a href=\"https:\/\/t.co\/nU4KHPPlk5\">https:\/\/t.co\/nU4KHPPlk5<\/a> <a href=\"https:\/\/t.co\/JGIMcpyrlk\">pic.twitter.com\/JGIMcpyrlk<\/a><\/p>\n<p>\u2014 Unit 42 (@Unit42_Intel) <a href=\"https:\/\/twitter.com\/Unit42_Intel\/status\/2019121578718490869?ref_src=twsrc%5Etfw\">February 4, 2026<\/a>\n<\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script>\n<\/div>\n<\/div>\n<\/figure>\n<p>This method significantly complicates detection for defenders relying on standard HTTP traffic analysis. <\/p>\n<p>By embedding the payload within DNS responses, attackers seamlessly blend their malicious traffic with the constant background noise of internet resolution. <\/p>\n<p>The ultimate goal remains the deployment of severe <a href=\"https:\/\/cybersecuritynews.com\/chatgpt-powered-malware-analysis\/\" id=\"42913\" target=\"_blank\" rel=\"noreferrer noopener\">malware<\/a>, often leading to the installation of the Interlock remote access trojan or other persistent threats within the network.<\/p>\n<h2 class=\"wp-block-heading\" id=\"h-mechanism-of-dns-txt-staging\"><strong>Mechanism of DNS TXT Staging<\/strong><\/h2>\n<p>The technical innovation lies in the payload retrieval mechanism. When the victim executes the initial ClickFix snippet, it does not immediately download a file. <\/p>\n<p>Instead, it triggers a PowerShell command that performs a DNS lookup for a specific TXT record. <\/p>\n<p>These records, normally designed to hold text information for <a href=\"https:\/\/cybersecuritynews.com\/fake-wordpress-domain-renewal-email\/\" id=\"138825\" target=\"_blank\" rel=\"noreferrer noopener\">domain verification<\/a>, contain the staged command string needed to fetch and execute the final payload.<a href=\"https:\/\/www.thecyberidiots.com\/post\/fun-with-powershell-executing-commands-with-dns-requests\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<p>Security controls often permit DNS traffic freely to ensure connectivity, creating a dangerous blind spot. <\/p>\n<p>The script parses the text from the DNS response and executes it in memory, leaving minimal traces on the disk. <\/p>\n<p>This \u201cfileless\u201d retrieval allows the KongTuke campaign to maintain a low profile while establishing persistence on compromised endpoints. <\/p>\n<p>Recommendations include blocking newly registered domains, validating <a href=\"https:\/\/cybersecuritynews.com\/android-bug-leaks-dns-traffic\/\" id=\"63789\" target=\"_blank\" rel=\"noreferrer noopener\">DNS traffic<\/a> for anomalies, and strictly monitoring PowerShell execution logs for suspicious DNS lookup commands.\u200b<\/p>\n<p class=\"has-text-align-center has-background\" style=\"background:linear-gradient(180deg,rgb(238,238,238) 90%,rgb(169,184,195) 100%)\"><strong>Follow us on\u00a0<a href=\"https:\/\/news.google.com\/publications\/CAAqMggKIixDQklTR3dnTWFoY0tGV041WW1WeWMyVmpkWEpwZEhsdVpYZHpMbU52YlNnQVAB?hl=en-IN&amp;gl=IN&amp;ceid=IN:en\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Google News<\/a>,\u00a0<a href=\"https:\/\/www.linkedin.com\/company\/cybersecurity-news\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">LinkedIn<\/a>,\u00a0and\u00a0<a href=\"https:\/\/x.com\/cyber_press_org\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">X<\/a>\u00a0to Get More Instant Updates<\/strong>,\u00a0<strong>Set CSN as a Preferred Source in\u00a0<a href=\"https:\/\/www.google.com\/preferences\/source?q=cybersecuritynews.com\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Google<\/a>.<\/strong><\/p>\n<p>The post <a href=\"https:\/\/cybersecuritynews.com\/attackers-using-dns-txt-records-in-clickfix-script\/\">Attackers Using DNS TXT Records in ClickFix Script to Execute Powershell Commands<\/a> appeared first on <a href=\"https:\/\/cybersecuritynews.com\/\">Cyber Security News<\/a>.<\/p>\n<\/div>\n<p> \t<BR><br \/>\n <BR><\/BR><br \/>\n    Tushar Subhra Dutta<br \/>\n \t<BR><br \/>\n<BR><\/BR><br \/>\n<a href=\"https:\/\/cybersecuritynews.com\/attackers-using-dns-txt-records-in-clickfix-script\/\">Go to cyber-security-news<\/a><br \/>\n \t<BR><br \/>\n <BR><\/BR><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Attackers Using DNS TXT Records in ClickFix Script to Execute Powershell Commands The cybersecurity landscape has darkened with the sophisticated evolution of the KongTuke campaign. Active since mid-2025, this threat actor group has continuously refined its techniques to bypass conventional enterprise security filters. Their primary weapon remains the \u201cClickFix\u201d strategy, a social engineering vector that [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[129,63,649],"tags":[130],"class_list":["post-10413","post","type-post","status-publish","format-standard","hentry","category-cyber-security","category-cyber-security-news","category-threats","tag-cyber-security-news"],"_links":{"self":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/10413"}],"collection":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/comments?post=10413"}],"version-history":[{"count":0,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/10413\/revisions"}],"wp:attachment":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/media?parent=10413"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/categories?post=10413"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/tags?post=10413"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}