Anatomy of an Attack

The danger of a single-click compromise is rapidly escalating. Threat actors are refining user-assisted execution techniques, exemplified by both CLEARFAKE (first observed in 2023), which tricks users into initiating a fraudulent browser update, and, more recently, ClickFix (first observed in 2024). Attackers commonly employ the ClickFix technique by using malicious advertisements on popular search engines, like Google, or compromising legitimate websites. ClickFix manipulates users into executing an attacker-provided command via copy and paste, often under the guise of fixing a technical or security issue.
According to a 2025 ESET report, ClickFix utilization rose by 500% between 2024 and 2025. While this surge made ClickFix the second most common initial access method (phishing remains first), it was only responsible for 8% of all blocked attacks. This statistic highlights how user-assisted execution bypasses many automated browser and endpoint defenses by leveraging the user’s own credentials to launch the infection chain.

On February 19, 2026, Elastic Security Labs detailed a sophisticated ClickFix campaign to deploy bespoke malware dubbed MIMICRAT (aka AstarionRAT). MIMICRAT is a custom remote access trojan (RAT) designed for long-term espionage. It is particularly dangerous because its command-and-control (C2) traffic can be configured to blend in with trusted network traffic, such as benign web analytics or standard HTTPS traffic.

The February 2026 MIMICRAT ClickFix campaign appears to have focused on the financial sector, utilizing two compromised finance-related websites: a Bank Identification Number (BIN) verification site and an Indian mutual fund investment platform. MIMICRAT's broad support for 17 languages suggests a potential for wider geographical targeting. The campaign dynamically localizes its lure content based on the victim's browser language, a tactic designed to significantly expand its potential reach.

Sophisticated Delivery: Leveraging Legitimate Trust

The operators in the MIMICRAT campaign demonstrate an understanding of modern defense thresholds. To avoid detection, they don't use their own dedicated malicious infrastructure for the initial infection. Instead, they compromise legitimate, trusted websites to host their malicious scripts.

In this specific campaign, the threat actors first compromised the BIN website bincheck[.]io. This compromised site then dynamically loads an external script hosted on a second compromised site, https://www.investonline[.]in/js/jq.php, which is a legitimate Indian mutual fund investment platform (Abchlor Investments Pvt. Ltd.). The script is named ‘ jq[.]php’ to mimic the legitimate jQuery library, helping it blend in with the normal resources the webpage loads (MITRE ATT&CK T1189).

• The Entry Point: The victim visits a compromised but legitimate website. A JavaScript injection triggers and retrieves a script from the second compromised website.
• Dynamic Script Loading: Simultaneously, the JavaScript snippet launches a fake security verification page and copies an obfuscated PowerShell command to the user's clipboard. 
• The ClickFix Lure: The fake page instructs the user to “verify they are human” by  pasting and executing the command. This process bypasses browser-based download protections because no file is downloaded during the interaction and the obfuscated PowerShell command is written in memory.

The Five-Stage Attack Lifecycle

Once the command is executed, the multi-stage chain begins its execution entirely in memory.

• Stage 1: Obfuscated One-Liner: Upon user execution, the obfuscated PowerShell command dynamically assembles the C2 domain, avoiding any plaintext C2 domain or PowerShell cmdlet names in the initial payload. Then, it retrieves a second-stage PowerShell script. This assembly method bypasses traditional security mechanisms which alert to these suspicious behaviors when observed in cleartext. Refer to MITRE ATT&CK T1189 and MITRE ATT&CK T1204.004.
• Stage 2: Telemetry Suppression: The second-stage PowerShell script is engineered to neutralize host-based security telemetry. By modifying the System.Diagnostics.Eventing.EventProvider and System.Management.Automation.AmsiUtils classes, this script effectively suppresses Event Tracing for Windows (ETW), PowerShell script block logging, and AMSI scanning. This ensures that subsequent execution stages can proceed without triggering local security alerts. Refer to MITRE ATT&CK T1059.
• Stage 3: Custom Lua Loader: Once logging and AV scanning are disabled, a base64-encoded ZIP archive is decoded and extracted to a random directory under %ProgramData%. This archive contains zbuild[.]exe, a custom Lua 5.4.7 loader with a statically linked interpreter. Refer to MITRE ATT&CK T1059.
• Stage 4: Reflective Shellcode Deployment: The Lua loader decrypts an embedded script and shellcode, which is executed in memory. The shellcode is suspected to be related to Meterpreter, which loads MIMICRAT into memory. Refer to MITRE ATT&CK T1059.
• Stage 5: MIMICRAT Implant: The final payload is MIMICRAT, a bespoke native C/C++ RAT. Refer to MITRE ATT&CK T1090.002, MITRE ATT&CK T1090.004, MITRE ATT&CK T1071.001, and MITRE ATT&CK T1041.

Implant Capabilities and C2 Infrastructure

The MIMICRAT implant's complexity indicates it is not a typical, off-the-shelf tool. With 22 commands, it allows an attacker remote access to carry out post-exploitation actions.

• Command Set: The implant supports a range of actions, including directory manipulation, file exfiltration, and shellcode injection.
• Privilege Escalation: It features specialized commands for Windows token theft and impersonation, allowing attackers to duplicate security tokens of running processes and spawn new processes with elevated identities.
• Network Tunneling: The implant implements SOCKS5 tunneling, turning the compromised host into a relay for internal lateral movement.
• C2 Infrastructure and Relays: The custom HTTP profiles are crafted to mimic the header signatures and traffic patterns of legitimate web browsing, allowing them to blend seamlessly into the network traffic (such as the ‘/intake/organizations/events’ or ‘/discover/pcversion/metrics’ CloudFront URIs). MIMICRAT’s C2 connects over HTTPs  port 443, with a 10-second callback beacon pattern. This allows the malware to maintain communication with the attacker infrastructure while staying below the threshold of traditional traffic volume alerts.

The campaign employs a sophisticated C2 relay strategy, using CloudFront to conceal backend infrastructure by fronting servers with reputable CDN domains. The communication protocol is secured through layered encryption: an asymmetric RSA-1024 scheme is used for session key exchange, followed by symmetric AES encryption for all traffic. To further evade detection, all headers and URIs are encoded and decoded dynamically during runtime.

TTP Table: MIMICRAT

The following table maps observed behaviors to ExtraHop Detections.

Conclusion and Strategic Recommendations

The ClickFix MIMICRAT campaign represents the rapid evolution in initial access strategies by shifting toward user assisted infection chains to effectively bypass traditional browser and endpoint security controls. By blinding local logging and scanning early in the attack lifecycle, the threat actors ensure that host-based defenses remain unaware of the malware's presence even as it executes in memory. This strategy makes network level detection the primary reliable means of identifying a breach.

Strategic Defensive Postures

To detect sophisticated adversary behavior detailed in the ClickFix MIMICRAT campaign, defensive teams should understand how traditional defense-in-depth controls are bypassed and behaviors to hunt.

• Exploiting User’s Trust: Initial access exploits unsuspecting victims’ trust of legitimate, but compromised, websites. An obfuscated command is copied to the victim’s clipboard, in memory. Educate users on ClickFix techniques.
• Obfuscation: The first and second stage PowerShell scripts are obfuscated and dynamically assembled, making it difficult to detect as it won’t match traditional PowerShell patterns.
• EDR-Killing: The second-stage PowerShell script employs “EDR-killing” techniques, disabling EDR events and PowerShell logging, leaving defenders blind to adversarial actions.
• Mimicking: The MIMICRAT’s malleable C2 mimics normal web traffic, easily defeating an IDS, which relies on alerting on hard-coded artifacts.
• Source of Truth: This is where an adversarial’s action on the network can be observed using an NDR. ExtraHop’s NDR provides an out-of-band truth of network traffic, one that cannot be easily disabled by an attacker. ExtraHop’s NDR can detect and alert on multiple adversarial behaviors in this attack chain:
• Connections to suspicious IPs and domains that have no prior history in the environment.
• Suspicious C2 beaconing behavior, regardless of malware or implant leveraged, based on C2 heartbeat patterns.
• Identifying suspicious traffic to CloudFront Relays (Domain Fronting).
• New external SOCKS5 Proxy connections when an internal asset suddenly starts acting as a proxy to an external server.
• Detecting non-standard protocols being encapsulated within HTTP/S, which is a common sign of RAT persistence.
• Large data transfers or usual outbound throughput for exfiltration.

How NDR Detects Attacks

ExtraHop eliminates visibility gaps by providing real-time decryption and deep analysis of data in motion at wire speed. The RevealX platform decrypts and decodes over 90+ network protocols at speeds up to 100 Gbps to uncover malicious activity hidden within standard communications. This protocol fluency allows RevealX to expose critical adversarial maneuvers, such as administrative credential abuse or lateral movement.

Utilizing proprietary advanced, patented machine learning and cloud-scale AI, ExtraHop establishes a dynamic behavioral baseline for every device on the network. This data-driven baselining allows the system to immediately flag minor inconsistencies indicative of distinct attack phases, such as unauthorized scanning, unusual protocol use, or abnormal exfiltration. By evaluating the frequency, timing, and logical order of network events, the platform can intercept sophisticated actors early in the attack chain.

ExtraHop enhances security operations efficiency by consolidating NDR, network performance monitoring (NPM), and forensics into a single interface. The platform provides comprehensive evidence, including full packet-level visibility and https://www.extrahop.com/use-cases/identity. This unified context empowers incident responders to quickly pinpoint the origin and scope of an attack, accurately assess the blast radius, and confidently ensure the network is clean to prevent re-infection and strengthen overall defense posture.

By uncovering these shifts from established traffic norms, ExtraHop provides the technical insight necessary for security teams to neutralize threats before they mature into major security incidents.

How ExtraHop Helps

ExtraHop RevealX detects MIMICRAT because the malware’s ClickFix delivery and C2 beaconing generate anomalous network patterns that cannot be hidden by disabling local endpoint logs or ETW. By providing complete visibility into the network protocol layer, RevealX can identify the network activity associated with MIMICRAT in real time. This allows security teams to break the infection chain before the final RAT payload establishes, offering critical defense in depth against memory only threats.

Additional Sources for Reference

• Elastic Security Labs: MIMICRAT: ClickFix Campaign Delivers Custom RAT via Compromised Legitimate Websites 
• The Hacker News: ClickFix Campaign Abuses Compromised Sites to Deploy MIMICRAT Malware 
• UltraViolet Cyber: Threat Advisory: ClickFix MIMICRAT 
• Malwarebytes Labs: https://www.malwarebytes.com/blog/news/2025/03/fake-captcha-websites-hijack-your-clipboard-to-install-information-stealers

Learn More About ExtraHop

The network usually tells the story that logs and endpoints often miss. If you want to see how this actually works in practice, or if you're just curious about how your own environment holds up, there are a few ways we can help:

• See it in action: We can jump on a quick call to show you how RevealX NDR picks up on the TTPs used in the MIMICRAT malware campaign.
• Check your blind spots: We offer a simple network security assessment to help you find out if there’s activity moving sideways through your environment that your current tools aren't catching.
• Your experts speak with our experts: If you have specific questions your team can spend time with ours.

Click HERE to schedule your time with us and learn more about ExtraHop RevealX NDR.