Microsoft has warned customers that risk actors are leveraging a brand new variant of the ClickFix method to ship malware.<\/strong><\/p>\n The ClickFix<\/a> assault technique has been more and more used up to now 12 months by each cybercriminals and state-sponsored risk teams.<\/p>\n The assault includes attackers displaying a pretend error message on a compromised or malicious web site. The message instructs the goal to handle the problem by urgent particular keys, then performing further steps (eg, operating a command). By following the attacker\u2019s directions, the consumer unknowingly grants elevated permissions, downloads malware, or executes attacker-supplied scripts.<\/p>\n In a latest ClickFix assault noticed by Microsoft the attacker requested targets to run a command that executes a customized DNS lookoup.<\/p>\n \u201cThe preliminary command runs by cmd.exe and performs a DNS lookup towards a hard-coded exterior DNS server, somewhat than the system\u2019s default resolver. The output is filtered to extract the \u2018Title:\u2019 DNS response, which is executed because the second-stage payload,\u201d Microsoft defined<\/a>.<\/p>\n This tactic allows the attacker to achieve their infrastructure and validate execution of the second-stage payload, rising their probabilities of evading detection by mixing malicious site visitors into common community site visitors.\u00a0<\/p>\n The second-stage payload downloads and executes a malicious Python script designed for reconnaissance. The ultimate payload is then dropped and a persistence mechanism is deployed.<\/p>\n![\"\"](\"https:\/\/www.securityweek.com\/wp-content\/uploads\/2026\/02\/ClickFix-DNS-1024x504.jpg\")
<\/figure>\n<\/div>\n