Microsoft has disclosed particulars of a brand new model of the ClickFix social engineering tactic wherein the attackers trick unsuspecting customers into operating instructions that perform a Area Identify System (DNS) lookup to retrieve the next-stage payload.
Particularly, the assault depends on utilizing the “nslookup” (quick for nameserver lookup) command to execute a customized DNS lookup triggered through the Home windows Run dialog.
ClickFix is an more and more fashionable approach that is historically delivered through phishing, malvertising, or drive-by obtain schemes, usually redirecting targets to bogus touchdown pages that host faux CAPTCHA verification or directions to deal with a non-existent downside on their computer systems by operating a command both by way of the Home windows Run dialog or the macOS Terminal app.
The assault technique has turn into widespread over the previous two years because it hinges on the victims infecting their very own machines with malware, thereby permitting the menace actors to bypass safety controls. The effectiveness of ClickFix has been such that it has spawned a number of variants, resembling FileFix, JackFix, ConsentFix, CrashFix, and GlitchFix.
“Within the newest DNS-based staging utilizing ClickFix, the preliminary command runs by way of cmd.exe and performs a DNS lookup towards a hard-coded exterior DNS server, fairly than the system’s default resolver,” the Microsoft Menace Intelligence staff stated in a collection of posts on X. “The output is filtered to extract the `Identify:` DNS response, which is executed because the second-stage payload.”
Microsoft stated this new variation of ClickFix makes use of DNS as a “light-weight staging or signaling channel,” enabling the menace actor to succeed in infrastructure below their management, in addition to erect a brand new validation layer earlier than executing the second-stage payload.
“Utilizing DNS on this means reduces dependency on conventional net requests and may also help mix malicious exercise into regular community site visitors,” the Home windows maker added.
The downloaded payload subsequently initiates an assault chain that results in the obtain of a ZIP archive from an exterior server (“azwsappdev[.]com”), from which a malicious Python script is extracted and run to conduct reconnaissance, run discovery instructions, and drop a Visible Fundamental Script (VBScript) liable for launching ModeloRAT, a Python-based distant entry trojan beforehand distributed by way of CrashFix.
To ascertain persistence, a Home windows shortcut (LNK) file pointing to the VBScript is created within the Home windows Startup folder in order that the malware is mechanically launched each time the working system is began.Â
The disclosure comes as Bitdefender warned of a surge in Lumma Stealer exercise, pushed by ClickFix-style faux CAPTCHA campaigns that deploy an AutoIt-version of CastleLoader, a malware loader related to a menace actor codenamed GrayBravo (previously TAG-150).
CastleLoader incorporates checks to find out the presence of virtualization software program and particular safety applications earlier than decrypting and launching the stealer malware in reminiscence. Exterior of ClickFix, web sites promoting cracked software program and pirated films function bait for CastleLoader-based assault chains, deceiving customers into downloading rogue installers or executables masquerading as MP4 media recordsdata.
Different CastleLoader campaigns have additionally leveraged web sites promising cracked software program downloads as a place to begin to distribute a faux NSIS installer that additionally runs obfuscated VBA scripts previous to operating the AutoIt script that hundreds Lumma Stealer. The VBA loader is designed to run scheduled duties liable for making certain persistence.
“Regardless of vital regulation enforcement disruption efforts in 2025, Lumma Stealer operations continued, demonstrating resilience by quickly migrating to new internet hosting suppliers and adapting various loaders and supply strategies,” the Romanian cybersecurity firm stated. “On the core of many of those campaigns is CastleLoader, which performs a central function in serving to LummaStealer unfold by way of supply chains.”
Apparently, one of many domains on CastleLoader’s infrastructure (“testdomain123123[.]store”) was flagged as a Lumma Stealer command-and-control (C2), indicating that the operators of the 2 malware households are both working collectively or sharing service suppliers. Nearly all of Lumma Stealer infections have been recorded in India, adopted by France, the U.S., Spain, Germany, Brazil, Mexico, Romania, Italy, and Canada.
“The effectiveness of ClickFix lies in its abuse of procedural belief fairly than technical vulnerabilities,” Bitdefender stated. “The directions resemble troubleshooting steps or verification workarounds that customers could have encountered beforehand. In consequence, victims usually fail to acknowledge that they’re manually executing arbitrary code on their very own system.”
CastleLoader just isn’t the one loader that is getting used to distribute Lumma Stealer. Campaigns noticed as early as March 2025 have leveraged one other loader dubbed RenEngine Loader, with the malware propagated below the guise of recreation cheats and pirated software program like CorelDRAW graphics editor. In these assaults, the loader makes means for a secondary loader named Hijack Loader, which then deploys Lumma Stealer.
In line with knowledge from Kaspersky, RenEngine Loader assaults have primarily affected customers in Russia, Brazil, Turkey, Spain, Germany, Mexico, Algeria, Egypt, Italy, and France since March 2025.
The developments coincide with the emergence of varied campaigns utilizing social engineering lures, together with ClickFix, to ship quite a lot of stealers and malware loaders –
- A macOS marketing campaign that has used phishing and malvertising ploys to ship Odyssey Stealer, a rebrand of Poseidon Stealer, which itself is a fork of Atomic macOS Stealer (AMOS). The stealer exfiltrates credentials and knowledge from 203 browser pockets extensions and 18 desktop pockets purposes to facilitate cryptocurrency theft.
- “Past credential theft, Odyssey operates as a full distant entry trojan,” Censys stated. “A persistent LaunchDaemon polls the C2 each 60 seconds for instructions, supporting arbitrary shell execution, reinfection, and a SOCKS5 proxy for tunneling site visitors by way of sufferer machines.”
- A ClickFix assault chain focusing on Home windows programs that makes use of faux CAPTCHA verification pages on legitimate-but-compromised web sites to trick customers into executing PowerShell instructions that deploy the StealC info stealer.
- An e mail phishing marketing campaign that makes use of a malicious SVG file contained inside a password‑protected ZIP archive to instruct the sufferer to run a PowerShell command utilizing ClickFix, in the end ensuing within the deployment of an open-source .NET infostealer referred to as Stealerium.
- A marketing campaign that exploits the general public sharing characteristic of generative synthetic intelligence (AI) companies like Anthropic Claude to stage malicious ClickFix directions on the right way to carry out quite a lot of duties on macOS (e.g., “on-line DNS resolver”), and distribute these hyperlinks through sponsored outcomes on engines like google like Google to deploy Atomic Stealer and MacSync Stealer.
- A marketing campaign that directs customers looking for “macOS cli disk house analyzer” to a faux Medium article impersonating Apple’s Assist Workforce to deceive them into operating ClickFix directions that ship next-stage stealer payloads from an exterior server “raxelpak[.]com.”
- “The C2 area raxelpak[.]com has URL historical past going again to 2021, when it appeared to host a security workwear e-commerce website,” MacPaw’s Moonlock Lab stated. “Whether or not the area was hijacked or just expired and re-registered by the [threat actor] is unclear, nevertheless it suits the broader sample of leveraging aged domains with current fame to keep away from detection.”
- A variation of the identical marketing campaign that phases ClickFix directions for supposedly putting in Homebrew on hyperlinks related to Claude and Evernote by way of sponsored outcomes to put in stealer malware.
- “The advert exhibits an actual, acknowledged area (claude.ai), not a spoof or typo-squatted website,” AdGuard stated. “Clicking the advert results in an actual Claude web page, not a phishing copy. The consequence is obvious: Google Advertisements + a widely known trusted platform + technical customers with excessive downstream impression = a potent malware distribution vector.”
- A macOS e mail phishing marketing campaign that prompts recipients to obtain and run an AppleScript file to deal with supposed compatibility points, ensuing within the deployment of one other AppleScript designed to steal credentials and retrieve further JavaScript payloads.
- “The malware doesn’t grant permissions to itself; as an alternative, it forges TCC authorizations for trusted Apple-signed binaries (Terminal, osascript, Script Editor, and bash) after which executes malicious actions by way of these binaries to inherit their permissions,” Darktrace stated.
- A ClearFake marketing campaign that employs faux CAPTCHA lures on compromised WordPress websites to set off the execution of an HTML Utility (HTA) file and deploy Lumma Stealer. The marketing campaign can also be recognized to make use of malicious JavaScript injections to make the most of a way referred to as EtherHiding to execute a contract hosted on the BNB Good Chain and fetch an unknown payload hosted on GitHub.
- EtherHiding affords attackers a number of benefits, permitting malicious site visitors to mix with professional Web3 exercise. As a result of blockchain is immutable and decentralized, it affords elevated resilience within the face of takedown efforts.
A latest evaluation revealed by Flare has discovered that menace actors are more and more focusing on Apple macOS with infostealers and complicated instruments.
“Almost each macOS stealer prioritizes cryptocurrency theft above all else,” the corporate stated. “This laser focus displays financial actuality. Cryptocurrency customers disproportionately use Macs. They usually maintain vital worth in software program wallets. In contrast to financial institution accounts, crypto transactions are irreversible. As soon as seed phrases are compromised, funds disappear completely with no recourse.”
“The ‘Macs do not get viruses’ assumption isn’t just outdated however actively harmful. Organizations with Mac customers want detection capabilities for macOS-specific TTPs: unsigned purposes requesting passwords, uncommon Terminal exercise, connections to blockchain nodes for non-financial functions, and knowledge exfiltration patterns focusing on Keychain and browser storage.”
