Nslookup becomes the driver of the malicious chain

In recent weeks, the security community has again warned about a social engineering tactic that exploits users' confidence in their own running harmful code on their equipment. Microsoft was one of those who gave the alarm voice by documenting a ClickFix variation that takes advantage of DNS queries to "point" the next phase of the attack, an elegant technique because it uses a native Windows tool as a delivery vehicle: nslookup becomes the driver of the malicious chain. The technical explanation of Microsoft is available in its public communication on the research: MsftSecIntel in X, and for anyone who wants to understand how nslookup works there is official documentation in Microsoft Docs and practical guides such as Linode.

The story, counted in a simple way, is as follows: the victim sails to a compromised or malicious page that shows a convincing message - for example, a false CAPTCHA or "solution" instructions - and asks him to run a command from the Run Windows box. In the new variant, this command invokes cmd.exe and uses nslookup to a DNS server controlled by the attacker rather than using the system resolver. The result of this consultation contains, among other things, a Name: field, and the explosion filters that line to treat it as the order that will execute the next stage. It is a form of "light signage" through DNS: attackers can thus validate that the target is ready and make the malicious behavior look like legitimate DNS traffic, which often goes unnoticed.

This approach has two advantages for the aggressor. On the one hand, it reduces the dependence on classic HTTP requests, which are easier to inspect and block; on the other, it takes advantage of the nature of the DNS traffic to get into the network. Microsoft points out that this tactic also allows to add a prior check before delivering the final payload, an extra control layer that complicates detection. The technical reader can deepen the idea of using DNS as a channel in Microsoft analysis and community discussions.

What happens after that initial DNS consultation? In the observed campaign, the attack chain drops a compressed file from an external server (identified as "azwsappdev [.] com" in the analysis), extract a Python script that performs system recognition and information, plant a VBScript that in turn launches a RAT called ModeloRAT and leaves persistent access creating a direct access (LNK file) in the Windows Start folder. That is, what begins as an order that the user manually introduces can end with remote control over the machine and persistence after rebeginning.

In parallel to this type of abuse, cyber security firms have detected a rebound in the activity of information thieves (stealers) and in drivers that serve as a bridge for them. Bitdefender, for example, documented a Lumma Stealer renaissance that is spreading through false CAPTCHA campaigns using a loader known as CastleLoader. This loader, today in AutoIt versions, includes checks that attempt to detect virtual machines or certain safety products before decrypt and run the stealer in memory, which makes it difficult to analyse and respond (Bitdefender report: bitdefender.com).

The industry has seen multiple variants: CastleLoader is distributed by supposed hacked program installers or files that look like MP4 videos, but that are malicious executable; other campaigns have used false NSIS installers that run VBA scripts ostracized before launching the AutoIt loader; and there are still families of alternative loaders such as RenEngine, which according to Kaspersky has served to spread Lumma and other stealers with dual loader techniques (RenEngine → Hijack Loader → stealer). The geographical record of these infections shows that no region is completely safe: reports cite countries such as India, France, USA. United States, Spain, Germany, Brazil and Mexico among the most affected ( Kaspersky Securelist).

Not only Windows is on the lookout. In macOS, sophisticated campaigns have been observed that specifically seek money in cryptocurrency and credentials. An example is Odyssey Stealer, described by Censys which not only steals data from extensions and wallet applications but also installs a persistent service that consults the command and control server every minute and can open SOCKS5 tunnels for routing traffic. The attackers know that Mac users handle assets in cryptomonedas and point to that concentration of value.

There are also creative and worrying social engineering tactics that use artificial intelligence and advertising services. Research has shown how malicious actors use sponsored results and public pages on generative model platforms (for example, links that link to instructions hosted in services like Claude) to place legitimate instructions that induce the execution of commands on macOS or Windows; AdGuard documented cases in which an ad leads to a known legitimate domain, but the chain ends up distributing malware through apparently technical and trust instructions ( AdGuard). In addition, analysts like Moonlock Lab have pointed out that attackers revalue ancient domains with history to avoid filters and give a sense of legitimacy, a trick that complicates simple blockages ( Moonlock Lab).

In view of this scenario, prevention is less through magic patches and more through habits and controls: do not run commands you receive by a web or by mail without checking them, distrust of supposed CAPTCHAs that ask for atypical actions, avoid downloading "cracks" or pirated software and maintain up-to-date security tools. For corporate environments, it is key to have detection that understands specific behaviors of macOS and Windows - for example, the creation of LaunchDaemons, access to Keychain, unusual use of Terminal or execution of binaries signed by Apple with unexpected actions -, something that analysts like Flare recommend in their review of the wave of stealers for macOS ( Flare).

In short, the attackers no longer depend only on technical vulnerabilities: they are exploiting trust and custom. When a page asks you to open Run or Terminal to "fix" something, that's a red flag. Cybersecurity today requires a combination of user education, adjusted technical controls and monitoring capable of detecting discretionary channels such as DNS abuse or chain-chained loaders. For systems managers, the lesson is clear: a lot of eye with shortcuts that seem fast and comfortable, because sometimes they are precisely the mechanism that allows the attacker to enter through the main door.