CLICKFIX campaigns have adapted nslookup commands to download RATs, with Malwarebytes noting that security software increasingly blocks mshta and PowerShell, prompting this new method. According to Microsoft, these malicious commands start an infection chain that downloads a ZIP archive from an external server, from which a Python script is extracted to conduct reconnaissance and discovery before dropping a Visual Basic Script that executes ModeloRAT.
ModeloRAT is described as a Python-based remote access trojan that gives attackers hands-on control over an infected Windows machine. The campaign’s early stages still involve tactics such as fake CAPTCHA prompts, but the nslookup technique repurposes a built-in network troubleshooting tool to smuggle in instructions and malware. The article, dated 16 February 2026, emphasises that victims are often nudged to copy the commands into the Run dialog or Mac terminal, making awareness and caution essential. It also urges users to type commands manually rather than copy-paste and to verify instructions independently before acting.