CLICKFIX campaigns have evolved to bypass new defences by using a DNS lookup command to deliver ModeloRAT, a Windows-based remote access Trojan. According to Microsoft, attackers now instruct targets to run a command that performs a custom DNS lookup and parses the Name: response to fetch the next-stage payload, bypassing some traditional security controls.
The infection chain in these observed campaigns downloads a ZIP from an external server, extracts a Python script, and ultimately drops a Visual Basic Script to execute ModeloRAT. The Malwarebytes Labs follow-up analysis notes that nslookup is a built-in tool for looking up addresses, which criminals are abusing to smuggle in instructions and malware rather than simply retrieving data.
Researchers emphasise that this technique blends malicious activity into normal network traffic and can work even within enterprise environments. The report, published on 17 February 2026 by Elizabeth Montalbano, highlights that the approach shows attackers adapting to defendInfo measures by exploiting trusted utilities to advance their campaigns.