MICROSOFT has warned of a new ClickFix variant that tricks users into running a DNS-based command to fetch a second-stage payload via nslookup, a technique Microsoft Defender researchers describe as an evasion method that uses a DNS lookup and parses the Name: response to retrieve the next-stage payload. The report, dated 16 February 2026, notes the latest variant uses cmd[.]exe to perform a DNS lookup against a hard-coded external DNS server, with the Name: response executed as the second-stage payload.
This DNS-based staging acts as a lightweight signalling channel, allowing attackers to reach their own infrastructure and add a validation step before executing the final payload, which downloads a ZIP from an external server, extracts a portable Python bundle and malicious Python code, then runs a Python script for host reconnaissance before dropping a VBScript and a Startup shortcut for persistence. The final payload is described as ModeloRAT, a Python-based remote access trojan. The attackers also achieve persistence by placing a Windows shortcut in the Startup folder. according to Microsoft