Microsoft has issued a critical security warning about a sophisticated new DNS hijacking attack variant that leverages the popular ClickFix technique to deliver dangerous malware. The attack, which was disclosed earlier this week, represents a significant evolution in how cybercriminals are exploiting the Domain Name System to compromise both individual users and enterprise environments.
This latest threat comes on the heels of a high-profile DNS hijacking incident affecting OpenEden, a major tokenized asset platform that saw its domain records compromised in mid-February 2026. Together, these incidents highlight the growing sophistication of DNS-based attacks and underscore why domain owners must take proactive measures to protect their online presence.
Understanding the ClickFix DNS Hijacking Attack
The Microsoft ClickFix attack represents a disturbing new frontier in social engineering. Unlike traditional phishing attempts that rely on fake login pages or malicious attachments, this technique manipulates users into executing commands directly on their own systems. According to Microsoft security intelligence team, the attack begins when victims visit compromised or malicious websites displaying fake error messages.
The initial command runs through cmd.exe and performs a DNS lookup against a hard-coded external DNS server, rather than the system default resolver. The output is filtered to extract the Name: DNS response, which is executed as the second-stage payload.
This tactic is particularly dangerous because it enables attackers to validate that their malware execution is working while blending malicious network traffic in with legitimate DNS queries. The result is a highly evasive attack that can bypass many traditional security filters.
The second-stage payload downloads and executes a malicious Python script designed for reconnaissance, ultimately deploying a remote access trojan called ModeloRAT. This sophisticated malware enables attackers to collect information about compromised systems, execute additional payloads, and maintain persistent access to infected machines.
The OpenEden DNS Compromise
While the Microsoft ClickFix attack focuses on delivering malware through user manipulation, another major DNS security incident made headlines in February 2026. OpenEden, a prominent tokenized asset management platform, announced that attackers had compromised the DNS records for both its main website and user portal.
The company warned that users who visited the hijacked domains could have their wallet assets stolen, even though the platform underlying reserve assets remained secure.
This incident demonstrates how DNS hijacking attacks work in practice. When users typed openeden.com into their browsers, they were redirected to attacker-controlled servers hosting fake versions of the platform.
Protecting Your Domain
Protecting against DNS hijacking attacks requires a multi-layered approach:
- Enable WHOIS privacy protection on your domain registrations
- Implement DNS security extensions (DNSSEC)
- Enable two-factor authentication on your registrar account
- Regularly monitor your domain DNS records
Top comments (0)