By employing a new command to get around security and force users to infect their own devices with malware, in this case a remote access Trojan (RAT) for Windows systems, ClickFix attacks have changed to accommodate the most recent defenses. The attacks have been going on since 2024, and Microsoft was the first to notice the change. Last week, they posted on X that ClickFix attackers had developed "yet another evasion approach" by using the nslookup command rather than the PowerShell or mshta commands that were used in earlier attacks.

According to Microsoft, attackers are now "asking targets to run a command that executes a custom DNS lookup and parses the 'Name:' response to receive the next-stage payload for execution."

According to the company, using DNS in this way enables attackers to "blend malicious activity into normal network traffic" and lessens reliance on conventional Web requests. Even in an enterprise setting, the attacks can be effective, leaving corporate users who browse the Web vulnerable. First of all, they should be cautious when following instructions on a webpage or prompt, particularly if they ask them to copy and paste code or execute commands on your device.

Arntz cautioned that some attacks use countdowns or timers to obtain these commands or updates. He wrote, "Be wary of pages that urge immediate action, as attackers use urgency to circumvent your critical thinking."

Related: 'Sicarii' Ransomware Is Vibe-Coded and Undecryptable Additionally, Arntz advised against executing commands or scripts from unreliable sources, including emails, messages, and websites, "unless you trust the source and understand the action’s purpose," he wrote. Before acting, it is beneficial to independently confirm the instructions using official documentation or even customer service.