MICROSOFT has disclosed a new version of the ClickFix social engineering tactic that uses DNS-based staging, as reported on 15 February 2026. According to Microsoft Threat Intelligence team, the attack relies on the nslookup command to perform a DNS lookup that retrieves the next-stage payload, with the initial command running through cmd[.]exe and targeting a hard-coded external DNS server; the output is filtered to extract the Name: DNS response, which is then executed as the second-stage payload.
The technique uses DNS as a lightweight signaling channel to reach infrastructure under the attackers’ control and to add a validation layer before the second-stage payload runs. The downloaded payload then downloads a ZIP from azwsappdev[.]com, extracts a Python script to perform reconnaissance and discovery commands, and drops a VBScript that launches ModeloRAT, with persistence achieved by creating a Windows shortcut in the Startup folder.
The report also notes a threat actor codenamed GrayBravo (formerly TAG-150) associated with related campaigns, and describes this DNS-based ClickFix variation as part of a broader evolution of the tactic.