The "ClickFix" social engineering technique has been improved by cybercriminals, who now use covert exploitation of nslookup.exe to deliver payloads instead of loud PowerShell scripts. Originally created for legitimate DNS queries, this Windows command-line tool now enables attackers to stage malware via DNS channels without setting off standard alerts. Muhammad Hassoub, a security researcher, initially observed this development in recent campaigns in which victims are duped into executing commands that appear to be browser fixes.

In traditional ClickFix attacks, malicious code is copied and pasted from fictitious error pages. Previous iterations employed data exfiltration through clear-cut PowerShell strings or TXT records, which were readily detected by endpoint detection tools. In order to adapt, attackers now take advantage of the "Name" response field in nslookup.exe. This avoids TXT-based DNS tunneling monitors by blending malicious fetches with regular network traffic.

Exploit of nslookup.exe (Source: LinkedIn) On LinkedIn, Hassoub described the method in detail, pointing out that it is an example of "Living off the Land" (LoLBin) strategies that use trusted system binaries to remain undetected. Users are prompted to run nslookup commands against attacker-controlled domains by a phishing lure at the beginning of the attack flow. For instance, if a victim runs nslookup example.com 8.8.8.8, Base64-encoded payloads may be found in the "Name" field of the response.

Bypassing downloads, nslookup decodes and stages this straight in memory. Because it imitates admin DNS lookups, this low-noise technique goes unnoticed in business settings. Hunting Leads and Detection Difficulties Conventional defenses fall short here. The subtle role of nslookup.exe is overlooked by tools that search for PowerShell anomalies or TXT records.

SOC teams need to correlate suspicious DNS responses with nslookup executions in order to extend hunting to LoLBin behaviors.

Two CrowdStrike Query Language (CQL) leads were made available to Falcon users by Hassoub: CQL Hunting Lead Query Type Why use nslookup? Execution cmdline=nslookup event_platform=“win" event_precedence=1 finds unusual nslookup queries connected to ClickFix Name of DNS Field Abuse event_simpleName: DsResponse_name=base; event dns_question_name=malicious-domain64-payload flags Staging payloads for "Name" responses These queries look for patterns in enterprise logs, such as oversized "Name" fields or recurring queries to rogue domains. Defenders should monitor for deviations, such as queries from non-admin contexts, and baseline typical nslookup usage.

Although Hassoub's post's monitor domains have not yet surfaced, no specific IOCs such as hashes or IPs have. Untrusted DNS resolvers are blocked and ClickFix lures are mimicked by patch management and user training. The dual-use risk of DNS is highlighted by this campaign. As attackers innovate, proactive hunting with tools like CrowdStrike closes gaps.

To prevent payload staging, review detections immediately. Make ZeroOwl your Google Preferred Source.