Triage Logo
Back to all articles
ThreatBrief Social EngineeringEndpoint SecurityNetwork Traffic Analysis

Analysis: Social Engineering Campaigns Pivot to DNS Lookup Abuse

Recent observations indicate that social engineering campaigns are shifting tactics to bypass traditional security filters. This analysis covers how threat actors now utilize the Windows `nslookup` command to deliver unauthorized payloads and provides guidance on detection and prevention.

Triage Security Media Team
3 min read

Social engineering campaigns, specifically those categorized as "ClickFix," have adapted their delivery mechanisms to bypass modern defense measures. Security research indicates that threat actors are now utilizing the Windows nslookup utility to enable unauthorized access, replacing previous reliance on PowerShell or mshta commands which are more easily flagged by security software.

shifting tactics in payload delivery

Microsoft Intelligence recently identified this tactical shift, noting that campaigns active since 2024 are moving toward evasion techniques that blend with normal network traffic. In this iteration, the user is instructed to execute a command that performs a custom DNS lookup.

The script parses the "Name:" field including the DNS response and retrieve the next stage of the installation. By using DNS for data retrieval, the activity minimizes reliance on traditional HTTP web requests. This allows the traffic to appear as standard infrastructure queries, making it difficult for conventional web filters to detect malicious intent, even within enterprise environments.

technical analysis of the infection chain

The execution flow observed involves a multi-stage process:

  1. Initial Access: The user is induced to run a command via the Windows Run dialog.

  2. Payload Retrieval: The command utilizes nslookup to query a TXT record or specific DNS entry controlled by the threat actor.

  3. Extraction: This action triggers the download of a ZIP archive from an external server.

  4. Execution: A Python script within the archive extracts and executes a Visual Basic Script (VBS).

  5. Installation: The VBS deploys ModeloRAT, a Python-based remote access tool that provides unauthorized control over the compromised Windows system.

abuse of legitimate diagnostic tools

According to analysis by Malwarebytes Labs, the shift to nslookup represents an attempt to circumvent the blocking of mshta and PowerShell by endpoint detection systems.

nslookup is a standard diagnostic tool used to query the Domain Name System—effectively the internet's phonebook. It is designed to troubleshoot network connectivity and verify DNS configurations. Threat actors are abusing this trusted utility to smuggle configuration data and code segments under the guise of address resolution. Because the tool is native to the operating system and essential for network administration, it is rarely blocked by default policies.

the social engineering component

While the technical delivery method has evolved, the initial engagement strategy remains consistent with previous findings. Users are presented with deceptive overlays, such as fake CAPTCHA prompts or simulated error messages (e.g., browser crashes or update requirements).

These prompts create a false sense of urgency or security, instructing the user to copy and paste a specific script to "verify" their identity or "fix" the simulated issue. This technique relies on the user's willingness to manually execute code to resolve an immediate interruption to their workflow.

protective measures and detection

To mitigate the risks associated with these campaigns, organizations and users should focus on verification and behavior monitoring.

Verification of Technical Instructions Users should exercise caution when web pages ask them to copy and paste commands into system terminals or the Windows Run dialog. Legitimate service providers and CAPTCHA challenges will not require a user to execute system-level code. If a browser prompt claims a critical error, verify the issue through official support channels or documentation before taking action.

Endpoint Monitoring Security teams can improve detection by monitoring for unusual nslookup usage. Indicators of interest include:

  • nslookup commands executed directly from the Run dialog or unexpected parent processes.

  • DNS queries that return unusually large text strings or encoded data.

  • Immediate execution of scripts (Python, VBS) following a DNS lookup.

Reducing the Attack Surface Where feasible, limiting the ability to execute complex commands directly from the clipboard can reduce the likelihood of successful social engineering. Encouraging users to manually type commands—or restricting clipboard execution in sensitive terminals—provides a pause that may allow the user to recognize suspicious syntax.

Sources & References