MICROSOFT has warned users that threat actors are leveraging a new variant of the ClickFix technique to deliver malware, mainly targeting corporate environments, according to Microsoft. The attack involves displaying a fake error message on a compromised site, prompting the user to run commands that lead to malware delivery.
In the observed variant, the attacker’s initial command runs through cmd[.]exe and performs a DNS lookup against a hard-coded external DNS server, with the output filtered to extract the ‘Name:’ DNS response, which is then executed as the second-stage payload. The final payload is a remote access Trojan named ModeloRAT, designed to collect information on the compromised system and download additional payloads.
While Microsoft has not shared further details, Huntress recently reported a threat actor tracked as KongTuke had been deploying ModeloRAT via a ClickFix variant dubbed CrashFix. The report appears in SecurityWeek, dated 16 February 2026.