A new evolution in the ClickFix social engineering campaign, which now employs a custom DNS hijacking technique <\/a>to deliver malware. <\/p>\n This attack method tricks users into executing malicious commands that utilize DNS lookups to fetch the next stage of the infection, allowing attackers to bypass traditional detection methods and blend in with normal network traffic.<\/p>\n ClickFix attacks rely on deceiving users through fake error messages, such as bogus CAPTCHA prompts or \u201cfix this issue\u201d notifications on compromised websites. <\/p>\n These lures persuade victims to copy a specific script to their clipboard and paste it into a simplistic system dialog like the Run command or PowerShell. <\/p>\n While previous variants, such as CrashFix, utilized fake browser crashes<\/a> to create a sense of urgency, this latest iteration focuses on a more technical evasion strategy involving the Domain Name System.<\/p>\n When a victim pastes and runs the initial malicious command, the script utilizes\u00a0 The script then parses the output of this request, specifically filtering for the\u00a0 This field does not contain a legitimate server name but instead holds the code for the second-stage payload, which is immediately executed on the victim\u2019s machine.<\/p>\n This technique transforms DNS into a lightweight staging channel. It allows attackers to validate that a target is active before delivering the heavier malware components. <\/p>\n Furthermore, because DNS traffic is ubiquitous in all networks, using it for command and control helps the malicious activity avoid raising alarms. <\/p>\n Microsoft Defender researchers have also observed <\/a>that once the second stage is triggered by the DNS response, the attack chain downloads a ZIP file containing a portable Python bundle.<\/p>\n The infection process continues by running a malicious Python script capable of performing host and domain reconnaissance. <\/p>\n To maintain access to the compromised system, the malware establishes persistence by dropping a VBScript file and creating a shortcut named\u00a0 The final payload delivered in this campaign is a Remote Access Trojan (RAT) identified as ModeloRAT. Microsoft Defender Antivirus detects and blocks this activity under the threat signature Trojan:Win32\/ClickFix.R!ml.<\/p>\n Follow us on Google News<\/a>, LinkedIn<\/a>, and X<\/a> for daily cybersecurity updates. Contact us<\/a> to feature your stories.<\/strong><\/p>\n The post New Clickfix Exploit Tricks Users into Changing DNS Settings for Malware Installation<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\ncmd.exe<\/code>\u00a0to perform a specific DNS lookup <\/a>against an attacker-controlled external server rather than the system\u2019s default internet resolver.<\/p>\nName:<\/code>\u00a0field in the DNS response. <\/p>\n![\"malicious](\"https:\/\/i0.wp.com\/cybersecuritynews.com\/wp-content\/uploads\/2026\/02\/image-27-1024x503.png?resize=1024%2C503&ssl=1\")
MonitoringService.lnk<\/code>\u00a0in the Windows Startup folder. <\/p>\n