Threat ID: TL-2026-0118 | Severity: HIGH | Status: ACTIVE
Actor: KongTuke | Motivation: Financial
MITRE Techniques: 33 | Detections: 9 | IOCs: 6+
DNS TXT records were never meant to carry PowerShell. ClickFix doesn't care.
ClickFix social engineering campaigns have evolved past PowerShell and mshta.exe into territory that most endpoint detection stacks do not cover. In February 2026, Microsoft Security Intelligence documented a new variant abusing nslookup.exe to smuggle encoded payloads through DNS TXT records, while Huntress disclosed the CrashFix variant — a malicious Chrome extension that deliberately crashes the browser to bait victims into running ClickFix commands. Both chains deliver ModeloRAT, a previously undocumented Python-based RAT targeting domain-joined corporate hosts. Below: both attack chains, the KongTuke operator profile, and production-ready SPL, KQL, and Sigma detection rules.
Huntress Security Operations analysis dissecting CrashFix — KongTuke actor's evolved ClickFix social engineering toolkit using browser resource exhaustion.
Executive Summary
- What: Two new ClickFix variants — nslookup DNS smuggling and CrashFix browser DoS — bypass traditional EDR by abusing trusted Windows binaries to deliver ModeloRAT, a Python RAT with RC4-encrypted C2
- Who: KongTuke threat actor, tracked since early 2025, targeting corporate/enterprise environments with financial motivation
- Impact: Domain-joined Windows hosts across enterprise, financial, and technology sectors; standalone machines receive test payloads only
- Status: Actively exploited as of February 2026; nslookup variant documented by Microsoft on February 13, CrashFix by Huntress on January 28
- Detection: 9 production-ready detections available on Threadlinqs Intelligence
Technical Analysis
DNS: The Overlooked Highway
ClickFix campaigns historically relied on mshta.exe and PowerShell to execute malicious commands pasted by victims into the Windows Run dialog. As EDR vendors improved coverage of those execution paths, KongTuke pivoted to nslookup.exe — a signed Microsoft binary present on every Windows installation, typically whitelisted, and whose DNS traffic blends seamlessly with normal network operations.
The mechanics are straightforward. The victim encounters a fake CAPTCHA, browser crash, or update prompt on a compromised or malicious website. Social engineering instructs the user to press Win+R, paste a command, and hit Enter. The pasted command executes nslookup queries against an attacker-controlled DNS server. Instead of returning IP addresses, the DNS TXT records contain encoded commands and payload URLs.
DNS as a payload channel. Creative. Microsoft described this as using DNS as a "lightweight staging or signaling channel" — the attacker's infrastructure responds to standard DNS queries with embedded instructions, reducing dependency on traditional web requests that are more likely to be inspected. The callback channel flies under the radar because DNS traffic is almost universally whitelisted.
The drop lands as a ZIP archive (hosted on domains like azwsappdev[.]com) containing malicious Python scripts. Recon first, then the implant. These scripts perform system reconnaissance and discovery before a VBS dropper deploys ModeloRAT.
CrashFix: Browser DoS as a Social Engineering Primer
The CrashFix variant, documented by Huntress in January 2026, takes a different approach to the same endpoint. A malicious Chrome extension called NexShield — impersonating the legitimate uBlock Origin Lite ad blocker — was distributed through the official Chrome Web Store. The extension was a near-exact clone with only 3,276 bytes of added malicious code. It accumulated at least 5,000 downloads.
After a 60-minute delay triggered by the Chrome Alarms API, NexShield initiates a denial-of-service loop. It opens chrome.runtime port connections in an infinite loop, exhausting browser memory and CPU until Chrome freezes and crashes. On restart, a fake "CrashFix" security warning appears, instructing the user to open Win+R, paste clipboard content, and press Enter.
The clipboard contains a command that copies finger.exe to %temp%\ct.exe and uses it to fetch a payload from C2 infrastructure. finger.exe is a legacy Windows LOLBIN with zero legitimate use in modern environments — any execution should trigger an immediate investigation.
The finger.exe Fetch Chain
The payload delivery after CrashFix follows a layered execution path:
- finger.exe fetches ROT-encoded content from C2, piped to
cmd.exe - PowerShell decodes and executes
script.ps1 - Anti-analysis checks run — scanning for 50+ analysis tools (Wireshark, IDA, Ghidra, x64dbg) and VM indicators
- Domain-join check — domain-joined machines receive ModeloRAT; standalone machines receive a test payload (
TEST PAYLOAD!!!!) - ModeloRAT deploys with bundled WinPython for Python-independent execution
The deliberate domain-join gate confirms KongTuke's focus on corporate environments. No domain join, no RAT. Standalone infections serve as a development test bed.
ModeloRAT — A New Which-Only-Wants-Corporate Hosts
ModeloRAT is a Python-based Remote Access Trojan reserved exclusively for domain-joined hosts. Key characteristics:
- C2 Protocol: RC4-encrypted communications over HTTP port 80, with zlib compression. Beacon URL pattern:
/beacon/{8-char-id} - Adaptive Beaconing: 5-minute intervals during normal operation, 150ms during active tasking, 15-minute backoff when idle
- Reconnaissance: OS version, running processes, services, storage, ARP table, network configuration, user privileges, TCP connections
- Persistence:
HKCU\Software\Microsoft\Windows\CurrentVersion\Runwith registry values mimicking legitimate software — folder names from AppData/ProgramData (e.g., "Spotify47", "Adobe2841") paired with random numbers - Payload Support: EXE, DLL, and Python script execution
- Anti-Analysis: Verbose misleading class names, string concatenation to obscure IOCs, junk code padding, hidden window execution
C2 infrastructure resolves to 170.168.103[.]208 and 158.247.252[.]178.
Malwarebytes Labs documenting ClickFix's new technique — embedding nslookup commands in clipboard payloads to download RATs via DNS TXT record queries.
Threat Actor Profile
KongTuke has been tracked by Huntress since early 2025. The actor demonstrates a clear operational focus on enterprise environments and a pattern of progressive technique evolution.
The group draws inspiration from SocGholish's multi-layer obfuscation — chaining Base64, XOR, ROT ciphers, and CharCode blobs. KongTuke adopted finger.exe as a LOLBIN in December 2025, months before the nslookup pivot. The progression from fake CAPTCHAs to fake updates to instruction videos to deliberate browser crashes to DNS smuggling shows an operator that actively monitors defensive improvements and adapts accordingly.
Our analysis of the toolkit revealed a clear pattern: every evolution targets defenses that blocked the last iteration. The financial motivation and enterprise targeting suggest KongTuke operates as a corporate intrusion broker or directly pursues post-compromise monetization through data theft and pivoting into sensitive systems.
Detection
The ClickFix attack pattern creates distinctive telemetry because the victim executes commands through the Windows Run dialog — meaning explorer.exe spawns command interpreters. Combined with the specific LOLBINs used, detection is achievable across all major SIEM platforms. When we tested the detection queries against lab telemetry replicating both chains, the nslookup TXT query signal was the most reliable — it survives proxy and NAT translation.
Threadlinqs Intelligence provides 9 production-ready detection rules for this threat.
Splunk SPL — nslookup DNS TXT Smuggling
Hunting for nslookup.exe with TXT record query parameters — the signature of the DNS smuggling variant:
SPLindex= sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
(Image="\\nslookup.exe" OR OriginalFileName="nslookup.exe")
(CommandLine="-type=txt" OR CommandLine="-querytype=txt"
OR CommandLine="-q=txt" OR CommandLine="set type=txt")
| eval parent_suspicious=if(match(ParentImage, "(?i)(explorer|cmd|powershell)\.exe$"), "yes", "no")
| stats count earliest(_time) as first_seen latest(_time) as last_seen
values(CommandLine) as commands values(ParentImage) as parents by Computer, User
| where count > 0
| sort -count
Legitimate nslookup usage overwhelmingly queries A/AAAA records. TXT record queries from user-initiated processes (parent explorer.exe) are rare and warrant investigation.
Splunk SPL — finger.exe LOLBIN Execution
Anyfinger.exe execution in a modern enterprise is malicious. Full stop. The finger protocol has been deprecated for decades.
SPLindex= sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
(Image="\\finger.exe" OR OriginalFileName="finger.exe"
OR Image="\\ct.exe" AND OriginalFileName="finger.exe")
| stats count earliest(_time) as first_seen
values(CommandLine) as commands values(ParentImage) as parents
values(Image) as images by Computer, User
| table first_seen Computer User images commands parents
Microsoft KQL — ModeloRAT C2 Beacon Detection
Looking for ModeloRAT's phone-home beacon pattern and known C2 infrastructure:KQLlet ModeloRAT_C2 = dynamic(["170.168.103.208", "158.247.252.178"]);
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteIP in (ModeloRAT_C2)
or RemoteUrl matches regex @"/beacon/[a-zA-Z0-9]{8}$"
| where RemotePort == 80
| summarize BeaconCount=count(), FirstSeen=min(Timestamp), LastSeen=max(Timestamp),
URLs=make_set(RemoteUrl, 10) by DeviceName, InitiatingProcessFileName, RemoteIP
| where BeaconCount > 3
| sort by BeaconCount desc
Microsoft KQL — ModeloRAT Registry Persistence
Catches ModeloRAT's quiet persistence trick — Python paths written to Run keys disguised as "Spotify47" or "Adobe2841":KQLDeviceRegistryEvents
| where Timestamp > ago(7d)
| where RegistryKey has @"Software\Microsoft\Windows\CurrentVersion\Run"
| where ActionType == "RegistryValueSet"
| where RegistryValueData has_any ("pythonw.exe", "WPy64", "python.exe", "winpython")
| project Timestamp, DeviceName, RegistryValueName, RegistryValueData, InitiatingProcessFileName
| sort by Timestamp desc
Sigma — nslookup DNS TXT Smuggling
SIGMAtitle: Suspicious nslookup DNS TXT Record Query - ClickFix DNS Smuggling
id: 7c4e81a2-f9d3-4b5a-a1c8-3e6f7d9b2c41
status: experimental
description: |
Detects nslookup.exe with TXT record query parameters, indicating potential
ClickFix DNS smuggling. Attackers use DNS TXT records to encode commands and
payload URLs through a trusted system utility.
references:
- https://intel.threadlinqs.com/#TL-2026-0118
- https://www.malwarebytes.com/blog/news/2026/02/clickfix-added-nslookup-commands-to-its-arsenal-for-downloading-rats
author: Threadlinqs Intelligence
date: 2026/02/22
tags:
- attack.command_and_control
- attack.t1071.004
- attack.defense_evasion
- attack.t1218
logsource:
category: process_creation
product: windows
detection:
selection_process:
Image|endswith: '\nslookup.exe'
selection_args:
CommandLine|contains:
- '-type=txt'
- '-querytype=txt'
- '-q=txt'
- 'set type=txt'
condition: selection_process and selection_args
falsepositives:
- IT administrators performing SPF/DKIM/DMARC verification
- Automated DNS health check scripts querying TXT records
level: high
Sigma — finger.exe LOLBIN Execution
SIGMAtitle: finger.exe Execution or Rename - KongTuke LOLBIN Payload Delivery
id: 3a8b5c2d-e6f1-4d7a-b9c3-2f5e8a1d6b74
status: experimental
description: |
Detects any execution of finger.exe or copies renamed from finger.exe.
KongTuke copies finger.exe to %temp%\ct.exe for payload delivery.
finger.exe has zero legitimate use in modern enterprise environments.
references:
- https://intel.threadlinqs.com/#TL-2026-0118
- https://www.huntress.com/blog/malicious-browser-extention-crashfix-kongtuke
author: Threadlinqs Intelligence
date: 2026/02/22
tags:
- attack.defense_evasion
- attack.t1218
- attack.execution
- attack.t1059.003
logsource:
category: process_creation
product: windows
detection:
selection_image:
Image|endswith: '\finger.exe'
selection_original:
OriginalFileName: 'finger.exe'
condition: selection_image or selection_original
falsepositives:
- None expected in modern environments
level: critical
Browse all 9 detection rules for this threat: View on Threadlinqs Intelligence
The Hacker News reporting on Microsoft's disclosure of DNS-based ClickFix attacks using nslookup for PowerShell malware staging and execution.
Indicators of Compromise
Network Indicators
| Type | Indicator | Context |
|---|---|---|
| IP | 170.168.103[.]208 | ModeloRAT C2 server |
| IP | 158.247.252[.]178 | ModeloRAT C2 server |
| IP | 199.217.98[.]108 | KongTuke payload delivery infrastructure |
| Domain | nexsnield[.]com | NexShield extension C2 (typosquat of "nexshield") |
| Domain | azwsappdev[.]com | ZIP payload hosting (nslookup variant) |
File Indicators
| Type | Indicator | Context |
|---|---|---|
| Filename | ct.exe | Renamed copy of finger.exe in %temp% |
| Filename | script.ps1 | PowerShell stage after finger.exe fetch |
| Chrome Extension ID | cpcdkmjddocikjdkbbeiaafnpdbdafmi | Malicious NexShield extension |
| Developer Email | alaynna6899@gmail.com | NexShield Chrome Web Store developer |
Behavioral Indicators
nslookup.exespawned fromexplorer.exe(Run dialog) querying TXT records against non-corporate DNS serversfinger.exeexecution or copy to%temp%\ct.exe— zero legitimate use in modern environments- Chrome extension triggering browser crash followed by Run dialog command execution
- Python process (
pythonw.exeor WinPython) writing toHKCU\...\Runwith software-mimicking names - HTTP POST beacons to
/beacon/{8-char-id}on port 80 with truncated WebKit user-agent
Timeline
| Date | Event |
|---|---|
| 2024-06-01 | ClickFix social engineering technique emerges; initial campaigns use fake CAPTCHAs with PowerShell |
| 2025-01-01 | Huntress begins tracking KongTuke actor group |
| 2025-01-15 | Malwarebytes documents ClickFix delivering DarkGate via malvertising |
| 2025-11-01 | ClickFix campaigns add instruction videos and fake Windows update lures |
| 2025-12-01 | KongTuke adopts finger.exe LOLBIN for payload delivery |
| 2026-01-14 | Malicious NexShield extension found live on Chrome Web Store (~5,000 downloads) |
| 2026-01-28 | Huntress publishes CrashFix analysis — browser DoS + ModeloRAT documented |
| 2026-01-30 | Malwarebytes confirms CrashFix findings; ModeloRAT targets domain-joined hosts only |
| 2026-02-13 | Microsoft Security Intelligence documents nslookup DNS smuggling variant |
| 2026-02-14 | Malwarebytes publishes detailed nslookup ClickFix analysis |
MITRE ATT&CK Mapping
| Tactic | Technique | ID | Description |
|---|---|---|---|
| Initial Access | Phishing: Spearphishing Link | T1566.002 | Malvertising and fake CAPTCHA pages lure victims |
| Execution | User Execution: Malicious Link | T1204.001 | Victim pastes command into Run dialog |
| Execution | Command and Scripting Interpreter: PowerShell | T1059.001 | PowerShell used in CrashFix payload chain |
| Execution | Command and Scripting Interpreter: Python | T1059.006 | ModeloRAT is Python-based with bundled WinPython |
| Execution | Command and Scripting Interpreter: Visual Basic | T1059.005 | VBS dropper deploys ModeloRAT |
| Persistence | Registry Run Keys | T1547.001 | ModeloRAT persists via HKCU Run with mimicked names |
| Persistence | Browser Extensions | T1176 | NexShield malicious Chrome extension |
| Defense Evasion | System Binary Proxy Execution | T1218 | nslookup.exe and finger.exe as LOLBINs |
| Defense Evasion | Masquerading: Match Legitimate Name | T1036.005 | Run key values mimic Spotify, Adobe, Discord names |
| Defense Evasion | Virtualization/Sandbox Evasion | T1497 | Checks for 50+ analysis tools and VM indicators |
| Discovery | Domain Trust Discovery | T1482 | Domain-join check gates RAT vs test payload |
| Command and Control | Application Layer Protocol: DNS | T1071.004 | nslookup DNS TXT record smuggling |
| Command and Control | Encrypted Channel: Symmetric Cryptography | T1573.001 | RC4-encrypted C2 over HTTP port 80 |
| Exfiltration | Exfiltration Over C2 Channel | T1041 | Recon data exfiltrated over HTTP C2 |
Full MITRE ATT&CK mapping with 33 techniques: View coverage on Threadlinqs
TL-2026-0118 on Threadlinqs Intelligence — ClickFix DNS smuggling evolution with nslookup-based payload delivery and browser DoS techniques.
Recommendations
- Block finger.exe execution enterprise-wide via AppLocker or WDAC — there is no legitimate use case for this binary in modern environments
- Monitor nslookup TXT queries — legitimate usage overwhelmingly queries A/AAAA records; TXT queries from user-initiated processes are anomalous
- Audit Chrome extensions across managed endpoints; restrict installation to approved-only lists via Chrome Enterprise policies
- Deploy ClickFix-specific user awareness training — the attack succeeds because users do not understand what they are executing in the Run dialog
- Block known C2 infrastructure:
170.168.103[.]208,158.247.252[.]178,199.217.98[.]108,nexsnield[.]com
References
- ClickFix Added nslookup Commands to Its Arsenal — Malwarebytes, February 14, 2026
- Dissecting CrashFix: KongTuke's New Toy — Huntress, January 28, 2026
- Microsoft Discloses DNS-Based ClickFix Attack Using Nslookup — The Hacker News, February 2026
- Fake Extension Crashes Browsers to Trick Users — Malwarebytes, January 30, 2026
- Microsoft Warns of ClickFix Attack Abusing DNS Lookups — SecurityWeek, February 2026
- ClickFix Attacks Abuses DNS Lookup Command to Deliver ModeloRAT — Dark Reading, February 2026
- MITRE ATT&CK T1071.004 — Application Layer Protocol: DNS — MITRE
- MITRE ATT&CK T1218 — System Binary Proxy Execution — MITRE
Full threat intelligence, detection rules, and IOC feeds are available on Threadlinqs Intelligence. Track this threat: TL-2026-0118.*