{“lastseen”:”2026-02-16T14:09:50″,”description”:”ClickFix malware campaigns are all about tricking the victim into infecting their own machine.\\n\\nApparently, the criminals behind these campaigns have figured out that **mshta** and **Powershell** commands are increasingly being blocked by security software, so they have developed a new method using **nslookup**.\\n\\nThe initial stages are pretty much the same as we have seen before: fake CAPTCHA instructions to prove you\u2019re not a bot, solving non-existing computer problems or updates, causing browser crashes, and even instruction videos.\\n\\nThe idea is to get victims to run malicious commands to infect their own machine. The malicious command often gets copied to the victim\u2019s clipboard with instructions to copy it into the Windows Run dialog or the Mac terminal.\\n\\nNslookup is a built\u2011in tool to use the internet \u201cphonebook,\u201d and the criminals are basically abusing that phonebook to smuggle in instructions and malware instead of just getting an address.\\n\\nIt exists to troubleshoot network problems, check if DNS is configured correctly, and investigate odd domains, not to download or run programs. But the criminals configured a server to reply with data that is crafted so that part of the \u201canswer\u201d is actually another command or a pointer to malware, not just a normal IP address.\\n\\nMicrosoft provided these examples of malicious commands:\\n\\n\\n\\nThese commands start an infection chain that downloads a ZIP archive from an external server. From that archive, it extracts a malicious Python script that runs routines to conduct reconnaissance, run discovery commands, and eventually drop a Visual Basic Script which drops and executes ModeloRAT.\\n\\nModeloRAT is a Python\u2011based remote access trojan (RAT) that gives attackers hands\u2011on control over an infected Windows machine.\\n\\nLong story short, the cybercriminals have found yet another way to use a trusted technical tool and make it secretly carry the next step of the attack, all triggered by the victim following what looks like harmless copy\u2011paste support instructions. At which point they might hand over the control over their system.\\n\\n## How to stay safe\\n\\nWith ClickFix running rampant\u2014and it doesn\u2019t look like it\u2019s going away anytime soon\u2014it\u2019s important to be aware, careful, and protected.\\n\\n * **Slow down. **Don\u2019t rush to follow instructions on a webpage or prompt, especially if it asks you to run commands on your device or copy-paste code. Attackers rely on urgency to bypass your critical thinking, so be cautious of pages urging immediate action. Sophisticated ClickFix pages add countdowns, user counters, or other pressure tactics to make you act quickly.\\n * **Avoid running commands or scripts from untrusted sources. **Never run code or commands copied from websites, emails, or messages unless you trust the source and understand the action\u2019s purpose. Verify instructions independently. If a website tells you to execute a command or perform a technical action, check through official documentation or contact support before proceeding.\\n * **Limit the use of copy-paste for commands. **Manually typing commands instead of copy-pasting can reduce the risk of unknowingly running malicious payloads hidden in copied text.\\n * **Secure your devices.** Use an up-to-date, real-time anti-malware solution with a web protection component.\\n * **Educate yourself on evolving attack techniques.** Understanding that attacks may come from unexpected vectors and evolve helps maintain vigilance. Keep reading our blog!\\n\\n\\n\\n**Pro tip:** Did you know that the free Malwarebytes Browser Guard extension warns you when a website tries to copy something to your clipboard?\\n\\n* * *\\n\\n**We don ‘t just report on threats\u2014we help safeguard your entire digital identity**\\n\\nCybersecurity risks should never spread beyond a headline. Protect your, and your family’s, personal information by using identity protection.”,”published”:”2026-02-16T13:09:37″,”modified”:”2026-02-16T13:09:37″,”type”:”malwarebytes”,”title”:”ClickFix added nslookup commands to its arsenal for downloading RATs”,”source”:””,”references”:””,”id”:”MALWAREBYTES:C2E5989E9E4B0AF9A00B6C5B8BD0B7AE”,”bulletinFamily”:”blog”,”cwe”:null,”cvelist”:[],”sourceData”:””,”sourceHref”:””,”cvss”:{“score”:0,”severity”:”NONE”,”vector”:”NONE”,”version”:”NONE”},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/www.malwarebytes.com\/blog\/news\/2026\/02\/clickfix-added-nslookup-commands-to-its-arsenal-for-downloading-rats”,”category_name”:”News”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2026-02-16T14:09:50″,”description”:”ClickFix malware campaigns are all about tricking the victim into infecting their own machine.\\n\\nApparently, the criminals behind these campaigns have figured out that **mshta** and…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[6,8,12,115,13,33,7,11,5],"class_list":["post-41037","post","type-post","status-publish","format-standard","hentry","category-category_news","tag-cve","tag-cvss","tag-exploit","tag-malwarebytes","tag-news","tag-none","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n