Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Nslookup Exploit. Show all posts
Nslookup Exploit
CastleLoader Malware ClickFix Attack DNS-based malware Lumma Stealer macOS infostealer malware Nslookup Exploit

Microsoft Uncovers DNS-Based ClickFix Variant as Stealer Campaigns Escalate Across Windows and macOS

 

Microsoft has revealed a new evolution of the ClickFix social engineering technique, where attackers manipulate users into executing commands that initiate a Domain Name System (DNS) lookup to fetch a secondary malicious payload.

In this updated approach, threat actors use the “nslookup” command—short for nameserver lookup—triggered through the Windows Run dialog. The command performs a custom DNS query that retrieves instructions for the next stage of the attack.

ClickFix has gained traction in recent years and is commonly distributed through phishing emails, malvertising campaigns, and drive-by download schemes. Victims are typically redirected to fraudulent landing pages featuring fake CAPTCHA checks or fabricated system alerts, urging them to run commands in the Windows Run dialog or the macOS Terminal app to “resolve” non-existent issues.

The technique has spread rapidly over the past two years because it relies on users unknowingly infecting their own systems, effectively bypassing traditional security safeguards. Its success has led to multiple offshoots, including FileFix, JackFix, ConsentFix, CrashFix, and GlitchFix.

"In the latest DNS-based staging using ClickFix, the initial command runs through cmd.exe and performs a DNS lookup against a hard-coded external DNS server, rather than the system's default resolver," the Microsoft Threat Intelligence team said in a series of posts on X. "The output is filtered to extract the Name: DNS response, which is executed as the second-stage payload."

Microsoft explained that this variation uses DNS as a “lightweight staging or signaling channel,” allowing attackers to communicate with their infrastructure while introducing an additional validation layer before delivering the next payload.

"Using DNS in this way reduces dependency on traditional web requests and can help blend malicious activity into normal network traffic," the Windows maker added.

Following the DNS lookup, the attack chain downloads a ZIP archive from an external server (“azwsappdev[.]com”). Inside is a malicious Python script that conducts system reconnaissance, executes discovery commands, and drops a Visual Basic Script (VBScript). That VBScript launches ModeloRAT—a Python-based remote access trojan previously linked to CrashFix campaigns.

To maintain persistence, the malware creates a Windows shortcut (LNK) file in the Startup folder, ensuring automatic execution whenever the system reboots.

Lumma Stealer and CastleLoader Activity Intensifies

Separately, Bitdefender has reported a spike in Lumma Stealer operations, fueled by ClickFix-style fake CAPTCHA campaigns. These attacks deploy an AutoIt-based version of CastleLoader, a loader attributed to a threat actor known as GrayBravo (formerly TAG-150).

CastleLoader checks for virtualization environments and certain security software before decrypting and executing the stealer in memory. Beyond ClickFix tactics, attackers are also using websites offering cracked software and pirated movies to lure victims into downloading malicious installers disguised as MP4 files.

Additional campaigns have delivered a counterfeit NSIS installer that runs obfuscated VBA scripts before launching AutoIt components responsible for loading Lumma Stealer. The VBA component establishes scheduled tasks to ensure persistence.

"Despite significant law enforcement disruption efforts in 2025, Lumma Stealer operations continued, demonstrating resilience by rapidly migrating to new hosting providers and adapting alternative loaders and delivery techniques," the Romanian cybersecurity company said. "At the core of many of these campaigns is CastleLoader, which plays a central role in helping LummaStealer spread through delivery chains."

One domain tied to CastleLoader infrastructure (“testdomain123123[.]shop”) was also identified as a Lumma Stealer command-and-control (C2) server, suggesting possible collaboration or shared services between operators. India has recorded the highest number of Lumma infections, followed by France, the U.S., Spain, Germany, Brazil, Mexico, Romania, Italy, and Canada.

"The effectiveness of ClickFix lies in its abuse of procedural trust rather than technical vulnerabilities," Bitdefender said. "The instructions resemble troubleshooting steps or verification workarounds that users may have encountered previously. As a result, victims often fail to recognize that they are manually executing arbitrary code on their own system."

Expanding Threat Landscape: RenEngine, macOS Stealers, and Malvertising

CastleLoader is not the only distribution mechanism in play. Since March 2025, campaigns using RenEngine Loader have spread Lumma Stealer through fake game cheats and pirated applications such as CorelDRAW. In these cases, RenEngine deploys Hijack Loader, which then installs the stealer. Kaspersky data shows primary impact in Russia, Brazil, Turkey, Spain, Germany, Mexico, Algeria, Egypt, Italy, and France.

Meanwhile, macOS users are increasingly being targeted. A campaign leveraging phishing and malvertising techniques has distributed Odyssey Stealer—a rebranded version of Poseidon Stealer and a fork of Atomic macOS Stealer (AMOS). The malware steals credentials and cryptocurrency wallet data from over 200 browser wallet extensions and multiple desktop wallet apps.

"Beyond credential theft, Odyssey operates as a full remote access trojan," Censys said. "A persistent LaunchDaemon polls the C2 every 60 seconds for commands, supporting arbitrary shell execution, reinfection, and a SOCKS5 proxy for tunneling traffic through victim machines."

Other campaigns include:
  • Fake CAPTCHA pages on compromised websites tricking Windows users into running PowerShell commands that deploy StealC.
  • Email phishing attacks using malicious SVG files inside password-protected ZIP archives to deliver the open-source .NET stealer Stealerium.
  • Abuse of generative AI platforms such as Claude to host ClickFix instructions distributed via sponsored Google search results.
  • Fake Medium articles impersonating Apple’s Support Team to spread macOS stealers via domains like “raxelpak[.]com.”
"The C2 domain raxelpak[.]com has URL history going back to 2021, when it appeared to host a safety workwear e-commerce site," MacPaw's Moonlock Lab said. "Whether the domain was hijacked or simply expired and re-registered by the [threat actor] is unclear, but it fits the broader pattern of leveraging aged domains with existing reputation to avoid detection."

Malvertising abuse has also raised concerns. "The ad shows a real, recognized domain (claude.ai), not a spoof or typo-squatted site," AdGuard said. "Clicking the ad leads to a real Claude page, not a phishing copy. The consequence is clear: Google Ads + a well-known trusted platform + technical users with high downstream impact = a potent malware distribution vector."

macOS Threats on the Rise

Security researchers note a broader shift toward targeting Apple systems with advanced infostealers. According to recent analysis, macOS stealers now target more than 100 Chrome cryptocurrency extensions, and attackers are even acquiring legitimate Apple developer signatures to bypass Gatekeeper protections.

"Nearly every macOS stealer prioritizes cryptocurrency theft above all else," the company said. "This laser focus reflects economic reality. Cryptocurrency users disproportionately use Macs. They often hold significant value in software wallets. Unlike bank accounts, crypto transactions are irreversible. Once seed phrases are compromised, funds disappear permanently with no recourse."

"The 'Macs don't get viruses' assumption is not just outdated but actively dangerous. Organizations with Mac users need detection capabilities for macOS-specific TTPs: unsigned applications requesting passwords, unusual Terminal activity, connections to blockchain nodes for non-financial purposes, and data exfiltration patterns targeting Keychain and browser storage."


Read more »
Social Engineering Cyberattack
CastleLoader Malware ClickFix Attack DNS Delivery GrayBravo Threat Actor Lumma Stealer Campaign malware ModeloRAT Trojan Nslookup Exploit PowerShell Abuse Social Engineering Cyberattack

New ClickFix Campaign Uses Nslookup to Fetch Malicious PowerShell Script


 

According to Microsoft, the ClickFix social engineering technique has evolved in a refined manner, emphasizing that even the most common software applications can be repurposed into covert channels for malware distribution. Using this latest iteration, hackers are no longer only relying on deceptive downloads and embedded scripts to spread malware. 

Through carefully staged prompts, they manipulate victims' trust by instructing them to execute what appears to be harmless system commands. Under this veneer of legitimacy, the command initiates a DNS query via nslookup, quietly retrieving the next-stage payload from attacker-controlled infrastructure. 

By embedding malicious intent within routine administrative behaviors, the campaign transforms a standard troubleshooting tool into an unassuming channel of infection. In Microsoft's analysis, the newly observed campaign instructs victims to use an nslookup command to query a DNS server controlled by the attacker, rather than the system's configured resolver, as directed by the attacker. 

It is designed to request a specific hostname from a remote IP address controlled by the threat actor and forward the query to that address. Instead of returning a regular DNS record, the server responds with a crafted DNS entry with a second PowerShell command embedded in the "Name" field. 

In addition, the Windows command interpreter parses and executes that response, thereby converting a standard DNS query into a covert staging mechanism for code delivery. According to Microsoft Threat Intelligence, this strategy represents another evolution of ClickFix's evasion strategy. 

While earlier versions primarily utilized HTTP-based payload retrieval, this version relies on DNS for both communication and dynamic payload distribution. In spite of the unclear lure used to persuade users, victims are reportedly instructed to execute the command through Windows Run, strengthening the tactic's dependency on social engineering rather than exploits. 

By moving execution to user-initiated system utilities, attackers are reducing the probability that conventional web or network filtering controls will be triggered. PowerShell scripts that are executed in this stage retrieve additional components from infrastructure under attacker control. 

As a result of Microsoft's investigation, it has been determined that the subsequent payload consists of a compressed archive containing a portable Python runtime along with malicious scripts. Prior to establishing persistence on the infected host, these scripts conduct reconnaissance against the host and its domain environment, gathering network and system information. 

In this method, the user creates a VBScript file in their AppData directory, and a shortcut is placed in their Windows Startup folder to ensure execution upon logon. A remote access trojan named ModeloRAT is deployed as part of the infection chain, granting the operator sustained control over compromised systems.

A DNS-based staging strategy allows adversaries to adjust payloads in real time while blending malicious traffic with routine name resolution activity by embedding executable instructions within DNS responses. As well as complicating detection, this DNS-based staging technique demonstrates that ClickFix continues to refine itself into a modular intrusion framework that is adaptable. 

In addition, Microsoft's Threat Intelligence team has assessed that the intrusion sequence is initiated by launching a command from the Windows Run dialog, which directly directs a DNS query to an adversary-controlled hard-coded external resolver. This command output is programmatically filtered to isolate the Name: field of the DNS response, and it is then executed as the second stage payload.

There has been documentation of this technique being used in multiple malware distribution campaigns, including campaigns that deliver Lumma Stealer. This malware has been detected in India, France, the United States, Spain, Germany, Brazil, Mexico, Romania, Italy, and Canada. 

Attributed to the GrayBravo threat actor, Lumma Stealer incorporates environmental awareness checks, identifying virtualization platforms and specific security products before decrypting and executing its payload directly in memory to evade analysis and detection. 

Rather than relying on phishing emails, malvertising networks, and drive-by download schemes, ClickFix has evolved beyond its earlier reliance on these methods to move toward DNS-based staging. By exploiting procedural trust rather than software flaws, operators persuade users to execute commands to resolve benign system problems. 

A parallel campaign distributing Lumma Stealer used CastleLoader and RenEngine Loader as primary delivery mechanisms. CastleLoader has been deployed by compromised websites that present fraudulent CAPTCHA verification prompts instructing victims to use PowerShell. 

In campaigns targeting Russian, Brazilian, Turkish, Spanish, German, Mexico, Algeria, Egypt, Italy, and France users, RenEngine Loader facilitates the deployment of Hijack Loader, which eventually installs Lumma Stealer on compromised hosts. These campaigns do not have limited operational footprints to Windows environments.

The evidence suggests that macOS-targeted infostealer activity has increased dramatically in recent years, which indicates that long-held assumptions about Apple platform immunity have been eroded. In order to capitalize on the concentration of high-value software wallets within the macOS ecosystem, attackers frequently prioritize cryptocurrency theft. 

There are numerous tactics, techniques, and procedures that macOS-specific detection strategies must consider, including unsigned applications requesting elevated credentials, anomalous Terminal execution patterns, suspicious outbound connections to blockchain infrastructure that are unrelated to financial workflows, as well as attempts to exfiltrate data from Keychain repositories and browser storage media. 

In addition to ClickFix itself, many other variants and affiliate campaigns have been launched. Security analysts have documented macOS-focused operations utilizing phishing and malvertising to distribute Odyssey Stealer, a rebranded version of Poseidon Stealer. Using compromised websites that appear legitimate, attackers have hosted deceptive CAPTCHA pages that trigger the deployment of StealC information stealer via PowerShell.

Additionally, malicious SVG files have been embedded in password-protected ZIP archives, instructing victims to execute ClickFix commands, leading to the installation of Stealerium, an open-source NET infostealer that is open-source. More unconventionally, adversaries have used public sharing features of generative AI services such as Anthropic Claude to publish staged instructions for installing the ClickFix application on macOS systems. 

Search results for macOS command-line disk space analysis tools were manipulated by a campaign resulting in redirection to a fake Medium article impersonating Apple Support, which ultimately resulted in stealer payloads being delivered by external infrastructure. These developments demonstrate how ClickFix is becoming a cross-platform social engineering framework capable of adapting to diverse malware environments by demonstrating its increasing operational flexibility. 

By creating a Windows shortcut (LNK) to the previously dropped VBScript component within the Startup directory, the malware maintains long-term access by creating persistence. By ensuring that the malicious script is executed every time the operating system boots up, the infection is embedded into the routine startup sequence of the host, ensuring long-term access to the host is maintained. 

According to Bitdefender's separate findings, Lumma Stealer activity has increased significantly as a result of ClickFix-type campaigns designed around fake CAPTCHA verification prompts. This disclosure is consistent with Bitdefender's separate findings. These operations are carried out by attackers using the AutoIt-based CastleLoader malware loader associated with GrayBravo, formerly known as TAG-150. It is linked to the threat actor GrayBravo.

After detecting virtualization platforms and specific security tools, CastleLoader decrypts and executes the stealer payload in memory, a technique designed to thwart sandbox analysis and endpoint detection. 

Furthermore, CastleLoader has been distributed via websites that advertise pirated and cracked software, as well as ClickFix-driven distribution channels. A rogue installer or executable may be downloaded by users in these scenarios, masquerading as legitimate MP4 files.

In addition, counterfeit NSIS installers have been used to execute obfuscated VBA scripts prior to starting the embedded AutoIt loader responsible for installing Lumma Stealer. Using the VBA component, these systems are reinforced by scheduled tasks designed to reinforce persistence mechanisms. 

The Bitdefender assessment indicates that, despite coordinated law enforcement actions in 2025 designed to disrupt Lumma Stealer infrastructure, Lumma Stealer has demonstrated considerable resilience. 

While shifting to alternate hosting providers, operators are rotating loaders and delivery techniques to maintain infection volumes while rapidly migrating to alternative hosting providers. Several of these campaigns remain centrally located in CastleLoader, which serves as a primary distribution tool within Lumma's broader ecosystem. As a result of analyzing CastleLoader infrastructure, it was found that domains previously identified as Lumma Stealer command-and-control servers overlapped, suggesting that the two malware clusters collaborated operationally or shared service providers. 

According to infection telemetry, the largest number of Lumma Stealer cases originate in India, followed by France, the United States, Spain, Germany, Brazil, Mexico, Romania, Italy, and Canada. In their view, ClickFix's sustained success is due not to zero-day exploits or sophisticated technical vulnerabilities but rather to the exploitation of procedural trust.

In order to reduce suspicion and increase compliance, instructions presented to victims are designed to appear like legitimate troubleshooting procedures or verification procedures. Due to this inadvertent execution of malicious code, users mistakenly believe they are resolving a routine system issue. CastleLoader is not the sole delivery mechanism facilitating Lumma Stealer's spread. 

The RenEngine Loader has also been used for campaign purposes since at least March 2025, commonly posing as game cheats or pirated commercial software such as CorelDRAW. In these attack chains, RenEngine Loader also deploys a secondary component, Hijack Loader, which installs Lumma Stealer as a result.

It is evident from these parallel loader frameworks that the Lumma distribution ecosystem is modular and adaptive, which reinforces its persistence irrespective of sustained disruption attempts. As ClickFix and its associated loader ecosystem continue to be refined, organizations must recognize a greater defensive imperative. 

Organizations cannot rely on perimeter filtering or signature-based detection alone to mitigate malicious activities originating within trusted system utilities and user workflows anymore. As part of defensive strategies, PowerShell logging should be strictly enforced, DNS queries should be monitored for anomalous patterns, and behavior detection can be used to identify command-line abuse from user-initiated processes. 

Similarly, it is crucial to implement application control policies, restrict script execution, and monitor persistent mechanisms, such as startup folder modifications and scheduled tasks, at an early stage. Training in procedural social engineering, not just phishing links and attachments, is also vital for sustained user awareness. 

Since such campaigns rely increasingly on convincing users to execute commands themselves, security programs must emphasize the risks associated with running unsolicited system instructions, regardless of how routine they appear. As ClickFix has evolved into a cross-platform, DNS-enabled staging framework, it is clear that in order to maintain defensive resilience, one must recognize and disrupt these intersections.
Read more »
Subscribe to: Comments (Atom)