Inside ClickFix: How a DNS-Based Social Engineering Trick Is Fooling Users Into Hacking Themselves

A deceptively simple social engineering technique known as ClickFix has rapidly evolved from a niche cybercriminal tool into a widespread threat embraced by nation-state actors and financially motivated hackers alike. Microsoft’s latest threat intelligence disclosures reveal that the technique, which manipulates users into copying and executing malicious commands on their own machines, has been weaponized through DNS-based infrastructure in ways that make detection and prevention significantly more challenging for enterprise security teams.

The technique’s elegance lies in its psychological manipulation rather than technical sophistication. Instead of exploiting software vulnerabilities or deploying complex exploit chains, ClickFix campaigns present users with fake error messages or verification prompts—often disguised as CAPTCHA challenges, browser updates, or document rendering fixes—that instruct them to open a Windows Run dialog or PowerShell terminal and paste a command. The command, pre-loaded into the user’s clipboard without their knowledge, then downloads and executes malware. It is, in essence, a method of tricking people into compromising their own systems.

Microsoft Sounds the Alarm on DNS-Layer Exploitation

According to reporting by The Hacker News, Microsoft has disclosed new details about how threat actors are leveraging DNS infrastructure to support ClickFix campaigns at scale. The technique involves the use of DNS TXT records and other DNS-based mechanisms to store and deliver malicious payloads or command-and-control instructions. By embedding encoded commands within DNS records, attackers can bypass many traditional web-based security filters that focus on HTTP and HTTPS traffic, effectively hiding their malicious infrastructure in plain sight within the domain name system.

This DNS-based approach represents a meaningful escalation in the ClickFix playbook. DNS traffic is often treated as trusted by enterprise firewalls and endpoint detection systems, and many organizations lack the granular DNS monitoring capabilities needed to identify anomalous TXT record queries or unusually large DNS responses. Microsoft’s threat intelligence team has observed multiple threat groups adopting this infrastructure pattern, suggesting that it has proven effective enough to warrant broad adoption across the cybercriminal ecosystem.

From Cybercrime to Espionage: A Technique That Crosses Boundaries

What makes ClickFix particularly concerning to security professionals is the breadth of actors now employing it. Microsoft has previously attributed ClickFix-style campaigns to groups associated with North Korea, Iran, and Russia, in addition to financially motivated cybercriminal operations. The technique has been observed in campaigns targeting government agencies, defense contractors, think tanks, and large enterprises across multiple sectors. Its low barrier to entry—requiring no zero-day exploits or advanced malware development capabilities—makes it accessible to a wide range of adversaries.

The North Korean threat group known as Kimsuky, for instance, has been documented using ClickFix-style lures in spear-phishing campaigns aimed at foreign policy researchers and diplomatic personnel. Russian-linked groups have similarly incorporated the technique into operations targeting Ukrainian and NATO-allied organizations. The Iranian group Mint Sandstorm has also been observed experimenting with ClickFix delivery mechanisms. In each case, the social engineering component remains remarkably consistent: a fake prompt, a clipboard hijack, and a user who unwittingly executes the attacker’s code.

The Anatomy of a ClickFix Attack Chain

A typical ClickFix attack begins with a phishing email, a compromised website, or a malicious advertisement that directs the victim to a page displaying a fake error or verification screen. The page might claim that the user’s browser needs an update, that a document cannot be rendered without a specific fix, or that a CAPTCHA must be completed to prove the user is human. Behind the scenes, JavaScript on the page copies a malicious command—usually a PowerShell one-liner or a Windows command prompt instruction—to the user’s clipboard.

The user is then instructed, often with step-by-step visual guides, to press Windows+R to open the Run dialog, paste the contents of their clipboard, and press Enter. This single action can initiate a chain of events that downloads a remote payload, establishes persistence on the machine, and exfiltrates data or deploys ransomware. Because the user initiates the execution themselves, the technique can bypass User Account Control prompts and certain endpoint protection mechanisms that are designed to flag automated or unsigned code execution.

DNS TXT Records as a Covert Delivery Channel

The DNS-based variant disclosed by Microsoft adds another layer of obfuscation to this attack chain. In these campaigns, the initial command pasted by the user does not directly download a payload from a suspicious URL. Instead, it queries a DNS TXT record associated with an attacker-controlled domain. The TXT record contains encoded instructions or a secondary payload URL that the command then processes and executes. This approach offers several advantages to attackers: DNS queries are less likely to be blocked or inspected than HTTP requests, DNS TXT records can be rapidly updated to rotate payloads and evade blocklists, and the technique leaves a smaller forensic footprint on the victim’s machine.

Security researchers have noted that this DNS-based delivery mechanism is not entirely new—DNS tunneling and DNS-based command-and-control have been used by advanced persistent threat groups for years—but its combination with the ClickFix social engineering technique represents a potent convergence. The human element of ClickFix neutralizes many automated defenses, while the DNS delivery channel evades network-level detection. Together, they create an attack chain that is remarkably difficult to defend against using conventional security tools alone.

Why Traditional Defenses Are Falling Short

Enterprise security architectures have historically been optimized to detect and block threats delivered via email attachments, malicious URLs, and exploit kits. ClickFix campaigns challenge these defenses by shifting the execution burden to the user. When a person manually opens PowerShell and pastes a command, the action can appear legitimate to endpoint detection and response tools that rely on behavioral heuristics. The command itself may be obfuscated or encoded in Base64, further complicating signature-based detection.

Moreover, many organizations have limited visibility into DNS traffic at the query level. While DNS filtering services can block known malicious domains, the rapid domain rotation employed by ClickFix operators means that newly registered or compromised domains may not appear on blocklists for hours or days. The use of legitimate DNS infrastructure—including popular DNS providers and content delivery networks—further complicates blocking efforts, as overly aggressive filtering can disrupt legitimate business operations.

Defensive Strategies and the Path Forward

Microsoft and other security vendors have recommended a multi-layered approach to mitigating ClickFix threats. At the endpoint level, organizations are advised to restrict PowerShell execution policies, disable the Windows Run dialog for standard users where feasible, and deploy endpoint detection rules specifically targeting clipboard-to-execution patterns. Application control policies that whitelist approved executables can also limit the damage from ClickFix-initiated payloads.

At the network level, enhanced DNS monitoring and logging are critical. Security teams should implement DNS query logging, analyze TXT record queries for anomalous patterns, and consider deploying protective DNS services that can identify and block suspicious domain resolutions in real time. Threat intelligence feeds that track ClickFix-associated infrastructure can also help organizations stay ahead of emerging campaigns.

The Human Factor Remains the Weakest Link

Perhaps most importantly, security awareness training must evolve to address the specific social engineering tactics employed by ClickFix campaigns. Users need to understand that legitimate websites and services will never ask them to open a command prompt, paste commands, or execute scripts as part of a verification or troubleshooting process. Organizations that invest in realistic phishing simulations incorporating ClickFix-style lures can help build the kind of instinctive skepticism that serves as the last line of defense when technical controls fail.

The rapid proliferation of ClickFix across threat actor categories—from state-sponsored espionage groups to ransomware affiliates—underscores a broader truth about modern cyber threats: the most effective attacks are often the simplest. By exploiting human trust and curiosity rather than software flaws, ClickFix has demonstrated that social engineering remains one of the most potent weapons in any adversary’s arsenal. As the technique continues to evolve, with DNS-based delivery representing only the latest refinement, defenders will need to match that adaptability with equally creative and comprehensive countermeasures.