Hackers Leveraging nslookup.exe to Stage Payloads via DNS Using Clickfix Attack

A sophisticated evolution of the ClickFix social engineering campaign, in which threat actors are now abusing the legitimate Windows utility nslookup.exe to deploy malicious payloads via DNS queries.

This technique, noticed by Researcher Muhammad Hassoub,

marks a significant shift from traditional attack methods that typically rely on PowerShell commands, making detection more challenging for security teams.

ClickFix Leveraging nslookup

The ClickFix tactic has traditionally deceived users through fake error messages or prompts that trick them into running malicious commands.

In this latest variant, attackers have moved away from noisy, easily detectable tools and instead leverage nslookup.exe, a standard Windows command-line tool used for DNS troubleshooting.

What makes this approach particularly evasive is the exploitation of the DNS “Name” response field to deliver payload data, rather than conventional TXT records that security solutions commonly monitor.

By using nslookup.exe, attackers can blend their malicious activity with legitimate network diagnostic operations.

The tool queries attacker-controlled DNS servers, which return specially crafted responses containing encoded malicious payloads in the Name field.

This data is then extracted and executed on the victim’s system, completing the infection chain while generating minimal security alerts.

This technique poses significant challenges for security teams because nslookup.exe is a trusted Windows binary that frequently appears in legitimate administrative activities.

Traditional detection rules focused on PowerShell-based ClickFix attacks will miss this DNS-based variant entirely.

The abuse of the Name field rather than TXT records further reduces the attack’s signature, as security monitoring tools typically focus on more commonly exploited DNS record types.

Security researcher Muhammad Hassoub has developed CrowdStrike CQL hunting queries specifically designed to detect this malicious nslookup.exe behavior.

These detection rules help identify suspicious DNS query patterns and unusual nslookup.exe execution contexts that may indicate ClickFix compromise attempts.

Researcher Muhammad Hassoub advises organizations to enhance DNS monitoring and implement behavioral detection rules to flag unusual nslookup.exe activity, especially queries to newly registered or suspicious domains.

Blue teams must expand their threat-hunting scope beyond PowerShell-focused indicators to catch living-off-the-land techniques that leverage trusted system utilities for malicious purposes.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post Hackers Leveraging nslookup.exe to Stage Payloads via DNS Using Clickfix Attack appeared first on Cyber Security News.