#modelorat — Public Fediverse posts
Live and recent posts from across the Fediverse tagged #modelorat, aggregated by home.social.
-
DNS-based staging via ClickFix represents tactical evolution.
Per Microsoft:
• Cmd.exe → nslookup execution
• Hardcoded external DNS resolver
• Payload embedded in DNS Name: response
• ZIP retrieval from azwsappdev[.]com
• Python-based reconnaissance
• VBScript persistence via Startup LNK
• ModeloRAT deployment
• Lumma Stealer distribution via CastleLoader (GrayBravo)Campaign telemetry also discussed by Bitdefender and Kaspersky.
DNS offers:
• Reduced dependency on HTTP
• Traffic blending with legitimate queries
• Lightweight validation signalingDetection priorities:
• Anomalous nslookup patterns
• External DNS resolver usage
• Suspicious Startup LNK creation
• DNS response content inspectionIs your EDR correlating DNS queries with process lineage?
Engage below.
Follow @technadu for advanced threat analysis.#ThreatIntel #ClickFix #DNSStaging #ModeloRAT #LummaStealer #CastleLoader #DetectionEngineering #BlueTeam #SOC #Infosec #CyberOperations #MalwareAnalysis
-
DNS-based staging via ClickFix represents tactical evolution.
Per Microsoft:
• Cmd.exe → nslookup execution
• Hardcoded external DNS resolver
• Payload embedded in DNS Name: response
• ZIP retrieval from azwsappdev[.]com
• Python-based reconnaissance
• VBScript persistence via Startup LNK
• ModeloRAT deployment
• Lumma Stealer distribution via CastleLoader (GrayBravo)Campaign telemetry also discussed by Bitdefender and Kaspersky.
DNS offers:
• Reduced dependency on HTTP
• Traffic blending with legitimate queries
• Lightweight validation signalingDetection priorities:
• Anomalous nslookup patterns
• External DNS resolver usage
• Suspicious Startup LNK creation
• DNS response content inspectionIs your EDR correlating DNS queries with process lineage?
Engage below.
Follow @technadu for advanced threat analysis.#ThreatIntel #ClickFix #DNSStaging #ModeloRAT #LummaStealer #CastleLoader #DetectionEngineering #BlueTeam #SOC #Infosec #CyberOperations #MalwareAnalysis
-
DNS-based staging via ClickFix represents tactical evolution.
Per Microsoft:
• Cmd.exe → nslookup execution
• Hardcoded external DNS resolver
• Payload embedded in DNS Name: response
• ZIP retrieval from azwsappdev[.]com
• Python-based reconnaissance
• VBScript persistence via Startup LNK
• ModeloRAT deployment
• Lumma Stealer distribution via CastleLoader (GrayBravo)Campaign telemetry also discussed by Bitdefender and Kaspersky.
DNS offers:
• Reduced dependency on HTTP
• Traffic blending with legitimate queries
• Lightweight validation signalingDetection priorities:
• Anomalous nslookup patterns
• External DNS resolver usage
• Suspicious Startup LNK creation
• DNS response content inspectionIs your EDR correlating DNS queries with process lineage?
Engage below.
Follow @technadu for advanced threat analysis.#ThreatIntel #ClickFix #DNSStaging #ModeloRAT #LummaStealer #CastleLoader #DetectionEngineering #BlueTeam #SOC #Infosec #CyberOperations #MalwareAnalysis
-
DNS-based staging via ClickFix represents tactical evolution.
Per Microsoft:
• Cmd.exe → nslookup execution
• Hardcoded external DNS resolver
• Payload embedded in DNS Name: response
• ZIP retrieval from azwsappdev[.]com
• Python-based reconnaissance
• VBScript persistence via Startup LNK
• ModeloRAT deployment
• Lumma Stealer distribution via CastleLoader (GrayBravo)Campaign telemetry also discussed by Bitdefender and Kaspersky.
DNS offers:
• Reduced dependency on HTTP
• Traffic blending with legitimate queries
• Lightweight validation signalingDetection priorities:
• Anomalous nslookup patterns
• External DNS resolver usage
• Suspicious Startup LNK creation
• DNS response content inspectionIs your EDR correlating DNS queries with process lineage?
Engage below.
Follow @technadu for advanced threat analysis.#ThreatIntel #ClickFix #DNSStaging #ModeloRAT #LummaStealer #CastleLoader #DetectionEngineering #BlueTeam #SOC #Infosec #CyberOperations #MalwareAnalysis
-
New Clickfix variant ‘CrashFix’ deploying Python Remote Access Trojan
#Storm_0300 #ModeloRAT
https://www.microsoft.com/en-us/security/blog/2026/02/05/clickfix-variant-crashfix-deploying-python-rat-trojan/ -
New Clickfix variant ‘CrashFix’ deploying Python Remote Access Trojan
#Storm_0300 #ModeloRAT
https://www.microsoft.com/en-us/security/blog/2026/02/05/clickfix-variant-crashfix-deploying-python-rat-trojan/ -
New Clickfix variant ‘CrashFix’ deploying Python Remote Access Trojan
#Storm_0300 #ModeloRAT
https://www.microsoft.com/en-us/security/blog/2026/02/05/clickfix-variant-crashfix-deploying-python-rat-trojan/ -
New Clickfix variant ‘CrashFix’ deploying Python Remote Access Trojan
#Storm_0300 #ModeloRAT
https://www.microsoft.com/en-us/security/blog/2026/02/05/clickfix-variant-crashfix-deploying-python-rat-trojan/ -
New Clickfix variant ‘CrashFix’ deploying Python Remote Access Trojan
#Storm_0300 #ModeloRAT
https://www.microsoft.com/en-us/security/blog/2026/02/05/clickfix-variant-crashfix-deploying-python-rat-trojan/ -
New Clickfix variant ‘CrashFix’ deploying Python Remote Access Trojan - https://www.redpacketsecurity.com/new-clickfix-variant-crashfix-deploying-python-remote-access-trojan/
#threatintel
#crashfix
#clickfix
#modelorat
#python-payload
#browser-extension -
New Clickfix variant ‘CrashFix’ deploying Python Remote Access Trojan - https://www.redpacketsecurity.com/new-clickfix-variant-crashfix-deploying-python-remote-access-trojan/
#threatintel
#crashfix
#clickfix
#modelorat
#python-payload
#browser-extension -
New Clickfix variant ‘CrashFix’ deploying Python Remote Access Trojan - https://www.redpacketsecurity.com/new-clickfix-variant-crashfix-deploying-python-remote-access-trojan/
#threatintel
#crashfix
#clickfix
#modelorat
#python-payload
#browser-extension -
New Clickfix variant ‘CrashFix’ deploying Python Remote Access Trojan - https://www.redpacketsecurity.com/new-clickfix-variant-crashfix-deploying-python-remote-access-trojan/
#threatintel
#crashfix
#clickfix
#modelorat
#python-payload
#browser-extension -
New Clickfix variant ‘CrashFix’ deploying Python Remote Access Trojan - https://www.redpacketsecurity.com/new-clickfix-variant-crashfix-deploying-python-remote-access-trojan/
#threatintel
#crashfix
#clickfix
#modelorat
#python-payload
#browser-extension -
📣 🚨 #KongTuke hacker group cloned a #Chrome ad blocker to trick users into installing spyware which also launched DoS attacks, crashed browsers, and dropped ModeloRAT.
Read: https://hackread.com/clickfix-crashfix-kongtuke-fake-chrome-ad-blocker-modelorat/
-
📣 🚨 #KongTuke hacker group cloned a #Chrome ad blocker to trick users into installing spyware which also launched DoS attacks, crashed browsers, and dropped ModeloRAT.
Read: https://hackread.com/clickfix-crashfix-kongtuke-fake-chrome-ad-blocker-modelorat/
-
📣 🚨 #KongTuke hacker group cloned a #Chrome ad blocker to trick users into installing spyware which also launched DoS attacks, crashed browsers, and dropped ModeloRAT.
Read: https://hackread.com/clickfix-crashfix-kongtuke-fake-chrome-ad-blocker-modelorat/
-
📣 🚨 #KongTuke hacker group cloned a #Chrome ad blocker to trick users into installing spyware which also launched DoS attacks, crashed browsers, and dropped ModeloRAT.
Read: https://hackread.com/clickfix-crashfix-kongtuke-fake-chrome-ad-blocker-modelorat/
-
📣 🚨 #KongTuke hacker group cloned a #Chrome ad blocker to trick users into installing spyware which also launched DoS attacks, crashed browsers, and dropped ModeloRAT.
Read: https://hackread.com/clickfix-crashfix-kongtuke-fake-chrome-ad-blocker-modelorat/