Skip to main content

On This Page
← AI News
AI News Article Cybersecurity

ClickFix Campaign Abuses Compromised Sites to Deploy MIMICRAT Malware

2 min read
Share

These articles are AI-generated summaries. Please check the original sources for full details.

ClickFix Campaign Abuses Compromised Sites to Deploy MIMICRAT Malware

Researchers at Elastic Security Labs have identified a sophisticated ClickFix campaign delivering a custom C++ RAT named MIMICRAT. The attack utilizes localized lures in 17 languages to trick users into executing PowerShell commands via fake Cloudflare verification pages.

Why This Matters

While organizations often rely on trusted domains and standard HTTPS traffic for security, this campaign weaponizes legitimate infrastructure to bypass perimeter defenses. The use of multi-stage PowerShell chains to patch ETW and AMSI demonstrates how attackers can neutralize endpoint visibility and antivirus scanning before the final payload even executes.

Key Insights

  • MIMICRAT (aka AstarionRAT) is a custom C++ RAT with support for Windows token impersonation and SOCKS5 tunneling, documented by Elastic Security Labs in 2026.
  • The infection chain utilizes compromised legitimate services, such as the BIN validation service bincheck.io, to host malicious JavaScript and PHP scripts.
  • A multi-stage PowerShell chain performs AMSI and ETW bypasses to neutralize Windows security logging and antivirus scanning before dropping the final payload.
  • The campaign uses a Lua-scripted shellcode loader to decrypt and execute MIMICRAT in memory, reducing the forensic footprint on the host system.
  • MIMICRAT communicates over HTTPS on port 443 using HTTP profiles that mimic legitimate web analytics traffic to evade network detection.

Practical Applications

  • Use Case: Organizations should implement EDR policies that detect and block unauthorized PowerShell attempts to patch ETW or AMSI components.
  • Pitfall: Relying on domain reputation for security; this campaign successfully used compromised legitimate sites like bincheck.io to deliver malware.
  • Use Case: Network security teams should monitor for unauthorized SOCKS5 tunneling and unusual Lua interpreter execution on Windows endpoints.
  • Pitfall: Ignoring localized phishing lures; the campaign dynamically translates content into 17 languages to maximize its global infection success rate.

References:

Continue reading

Next article

Cline CLI 2.3.0 Supply Chain Attack: OpenClaw Installed via Compromised NPM Token

Related Content

Nov 25, 2025

JackFix Campaign Leverages Fake Windows Updates to Deploy Multiple Stealers

The JackFix campaign utilizes deceptive fake Windows update pop-ups on adult websites to deliver multi-stage PowerShell malware, resulting in potential data theft and system compromise.

Read article
Jan 13, 2026

SHADOW#REACTOR Malware Campaign Deploys Remcos RAT via Multi-Stage Attack

SHADOW#REACTOR is a new malware campaign leveraging VBS, PowerShell, and MSBuild to deliver Remcos RAT, achieving stealthy and persistent remote access.

Read article
Dec 8, 2025

JS#SMUGGLER Campaign Deploys NetSupport RAT via Compromised Websites

Researchers detail JS#SMUGGLER, a multi-stage web attack leveraging JavaScript, HTA, and PowerShell, resulting in NetSupport RAT deployment.

Read article