Overview
- Victims were instructed to run nslookup against an attacker-controlled DNS server at 84.21.189.20, with the response’s Name field carrying the second-stage PowerShell.
- The command executed via cmd.exe, which parsed the DNS output and ran the embedded script to reach attacker infrastructure.
- The second stage fetched a ZIP containing a Python runtime and malicious scripts used for reconnaissance before deploying the final payload.
- Persistence artifacts included %APPDATA%\WPy64-31401\python\script.vbs and a %STARTUP%\MonitoringService.lnk shortcut to launch the VBScript at startup.
- Microsoft says the DNS server is now offline, but warns this DNS-based staging marks an escalation in ClickFix tradecraft, as related campaigns have also leveraged Azure OAuth consent abuse and lures on AI pages and Pastebin.