nslookup.exe
nslookup.exe is a built-in Windows DNS lookup utility. In February 2026, KongTuke began using nslookup against attacker-controlled DNS servers to retrieve payloads via DNS response fields. The technique replaces commonly blocked PowerShell/mshta approaches and blends into normal network traffic. The nslookup output is filtered to extract the DNS response Name field, which is then executed as a second-stage payload. Final payloads include ModeloRAT.
A verification step is required. Please follow the instructions below to complete the security check.
Press Win-R on your keyboard
Press Ctrl-V to paste the command
Press Enter to run
References:
Mitigations:
Monitor for nslookup invocations with non-default DNS servers from the Run dialog
Alert on nslookup commands initiated by explorer.exe or via RunMRU
Block outbound DNS queries to non-corporate DNS resolvers
Monitor for Python ZIP archive downloads following nslookup execution