By rssfeeds-admin 
This Windows command-line tool, designed for legitimate DNS queries, now lets attackers stage malware via DNS channels without triggering common alerts.
Security researcher Muhammad Hassoub first spotted this evolution in recent campaigns, where victims are tricked into running commands that masquerade as browser fixes.
In classic ClickFix attacks, users copy-paste malicious code from fake error pages. Earlier versions used obvious PowerShell strings or TXT records for data exfiltration, which endpoint detection tools easily flagged.
Attackers have adapted by exploiting nslookup.exe’s “Name” response field instead. This blends malicious fetches with routine network traffic, evading monitors focused on TXT-based DNS tunneling.
Hassoub detailed the technique on LinkedIn, noting how it exemplifies “Living off the Land” (LoLBin) tactics using trusted system binaries to stay hidden.
The attack flow starts with a phishing lure prompting users to execute nslookup commands against attacker-controlled domains.
For example, a victim might run nslookup example.com 8.8.8.8, where the response’s “Name” field contains Base64-encoded payloads. nslookup decodes and stages this directly in memory, bypassing downloads.
This low-noise method flies under the radar in enterprise environments, as it mimics admin DNS lookups.
Detection Challenges and Hunting Leads
Standard defenses falter here. Tools scanning for PowerShell anomalies or TXT records miss nslookup.exe’s subtle role.
SOC teams must expand hunting to LoLBin behaviors, correlating nslookup executions with suspicious DNS responses.
Hassoub released two CrowdStrike Query Language (CQL) leads for Falcon users:
| Query Type | CQL Hunting Lead | Purpose |
|---|---|---|
| nslookup Execution | event_platform=”win” event_precedence=1 cmdline=nslookup | Detects anomalous nslookup runs tied to ClickFix |
| DNS Name Field Abuse | event_simpleName=DsEvent dns_question_name=malicious-domain response_name=base64-payload | Flags “Name” responses staging payloads |
These queries filter enterprise logs for patterns like repeated queries to rogue domains or oversized “Name” fields.
Defenders should baseline normal nslookup usage and alert on deviations, such as queries from non-admin contexts.
No specific IOCs like hashes or IPs surfaced yet, but monitor domains from Hassoub’s post. Patch management and user training remain key block untrusted DNS resolvers and simulate ClickFix lures.
This campaign underscores DNS’s dual-use risk. As attackers innovate, proactive hunting with tools like CrowdStrike closes gaps. Review detections now to thwart payload staging.
Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google
The post Hackers Abuse nslookup.exe to Stage Payloads via DNS in ClickFix Attacks appeared first on Cyber Security News.
Discover more from RSS Feeds Cloud
Subscribe to get the latest posts sent to your email.