Hackers Abuse nslookup.exe to Stage Payloads via DNS in ClickFix Attacks

Cybercriminals have refined the “ClickFix” social engineering tactic, shifting from noisy PowerShell scripts to stealthy abuse of nslookup.exe for payload delivery.

This Windows command-line tool, designed for legitimate DNS queries, now lets attackers stage malware via DNS channels without triggering common alerts.

Security researcher Muhammad Hassoub first spotted this evolution in recent campaigns, where victims are tricked into running commands that masquerade as browser fixes.

In classic ClickFix attacks, users copy-paste malicious code from fake error pages. Earlier versions used obvious PowerShell strings or TXT records for data exfiltration, which endpoint detection tools easily flagged.

Attackers have adapted by exploiting nslookup.exe’s “Name” response field instead. This blends malicious fetches with routine network traffic, evading monitors focused on TXT-based DNS tunneling.

Hassoub detailed the technique on LinkedIn, noting how it exemplifies “Living off the Land” (LoLBin) tactics using trusted system binaries to stay hidden.

The attack flow starts with a phishing lure prompting users to execute nslookup commands against attacker-controlled domains.

For example, a victim might run nslookup example.com 8.8.8.8, where the response’s “Name” field contains Base64-encoded payloads. nslookup decodes and stages this directly in memory, bypassing downloads.

This low-noise method flies under the radar in enterprise environments, as it mimics admin DNS lookups.

Detection Challenges and Hunting Leads

Standard defenses falter here. Tools scanning for PowerShell anomalies or TXT records miss nslookup.exe’s subtle role.

SOC teams must expand hunting to LoLBin behaviors, correlating nslookup executions with suspicious DNS responses.

Hassoub released two CrowdStrike Query Language (CQL) leads for Falcon users:

Query Type	CQL Hunting Lead	Purpose
nslookup Execution	event_platform=”win” event_precedence=1 cmdline=nslookup	Detects anomalous nslookup runs tied to ClickFix
DNS Name Field Abuse	event_simpleName=DsEvent dns_question_name=malicious-domain response_name=base64-payload	Flags “Name” responses staging payloads

These queries filter enterprise logs for patterns like repeated queries to rogue domains or oversized “Name” fields.

Defenders should baseline normal nslookup usage and alert on deviations, such as queries from non-admin contexts.

No specific IOCs like hashes or IPs surfaced yet, but monitor domains from Hassoub’s post. Patch management and user training remain key block untrusted DNS resolvers and simulate ClickFix lures.

This campaign underscores DNS’s dual-use risk. As attackers innovate, proactive hunting with tools like CrowdStrike closes gaps. Review detections now to thwart payload staging.

Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google

The post Hackers Abuse nslookup.exe to Stage Payloads via DNS in ClickFix Attacks appeared first on Cyber Security News.