MalwareRansomware

MIMICRAT

MIMICRAT (aka AstarionRAT) is a previously undocumented custom Windows remote access trojan (native MSVC x64 C/C++ implant) observed by Elastic Security Labs being delivered via ClickFix campaigns that abuse compromised legitimate websites. The infection chain uses a fake Cloudflare verification page (ClickFix lure) that instructs victims to copy/paste an obfuscated PowerShell command (e.g., via Win+R), initiating a multi-stage PowerShell sequence that performs ETW and AMSI bypasses, then drops/executes a Lua 5.4.7-based loader which decrypts and executes shellcode fully in memory. A Meterpreter-like shellcode stage reflectively loads the final MIMICRAT implant.

MIMICRAT communicates with C2 over HTTPS (port 443) using malleable HTTP(S) profiles designed to resemble legitimate web analytics traffic, with configuration stored in the .data section and runtime-decoded headers/URIs. Reported crypto includes RSA-1024 for session key exchange and AES with a hardcoded IV ("abcdefghijklmnop"). Post-exploitation capabilities include a 22-command dispatch table supporting process and file-system control, interactive shell access, token theft/impersonation, shellcode injection, and SOCKS5 proxy/tunneling.

Elastic assessed tactical/infrastructure overlaps with a Huntress-documented ClickFix campaign involving the Matanbuchus 3.0 loader, which Elastic assessed can also deliver MIMICRAT. The campaign appears opportunistic across geographies (Elastic cited victims including a USA-based university and Chinese-speaking users) and supports 17 languages with localization based on browser language settings. Researchers suspect the end goal is ransomware deployment or data exfiltration.

Noted delivery and C2 infrastructure/IOCs mentioned by Elastic include compromised sites bincheck[.]io (injected JS) and investonline[.]in hosting /js/jq.php; initial stage domain xmri[.]network (45.13.212.250) and related wexmri[.]cc; post-exploitation C2 www.ndibstersoft[.]com (23.227.202.114); CloudFront relay d15mawx0xveem1.cloudfront[.]net; S3 delivery backupdailyawss.s3.us-east-1.amazonaws[.]com/rgen.zip; and SHA-256 examples including Lua loader 5e0a30d8d91d5fd46da73f3e6555936233d870ac789ca7dd64c9d3cc74719f51 and a MIMICRAT beacon a508d0bb583dc6e5f97b6094f8f910b5b6f2b9d5528c04e4dee62c343fce6f4b.

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

MITRE ATT&CK

Techniques & procedures

16 distinct techniques documented for this family, organized by ATT&CK tactic.

Initial Access

1 technique

T1566.003Spearphishing via ServiceEvidence1

“ClickFix lure: a fake Cloudflare verification page instructing the victim to manually paste and execute a command… copies a malicious PowerShell command directly to the victim's clipboard…”

Execution

4 techniques

T1053Scheduled Task/JobEvidence1

“Scheduled Task/Job” (listed in the report’s MITRE techniques section)

T1059.001PowerShellEvidence2

“Once the victim executes the clipboard command… an obfuscated PowerShell downloader contacts the C2 to retrieve a second-stage script…”

T1204User ExecutionEvidence2

"...instructing the victim to copy and paste a command into the Windows Run dialog..."

T1204.001Malicious LinkEvidence1

“The entry point for victims is bincheck[.]io… injected a malicious JavaScript snippet… delivers the ClickFix lure…”

Persistence

1 technique

T1053Scheduled Task/JobEvidence1

“Scheduled Task/Job” (listed in the report’s MITRE techniques section)

Privilege Escalation

3 techniques

T1053Scheduled Task/JobEvidence1

“Scheduled Task/Job” (listed in the report’s MITRE techniques section)

T1055Process InjectionEvidence2

“100 Inject shellcode Reflective shellcode injection”

T1134Access Token ManipulationEvidence2

“token impersonation… Windows token theft… Cmd 31 Steal token… Cmd 28 Revert impersonation… Cmd 12 Spawn process… using a stolen token if available”

Stealth

3 techniques

T1027Obfuscated Files or InformationEvidence1

“The command uses string slicing and arithmetic index operations… avoiding any plaintext representation of the C2 domain or PowerShell cmdlet names… All strings are constructed at runtime by resolving arithmetic expressions to ASCII characters…”

T1055Process InjectionEvidence2

“100 Inject shellcode Reflective shellcode injection”

T1134Access Token ManipulationEvidence2

“token impersonation… Windows token theft… Cmd 31 Steal token… Cmd 28 Revert impersonation… Cmd 12 Spawn process… using a stolen token if available”

Discovery

2 techniques

T1057Process DiscoveryEvidence1

“Cmd 32 List processes Enumerates running processes with PID, PPID, user, domain, and architecture”

T1083File and Directory DiscoveryEvidence1

“Cmd 53 List files… Cmd 55 List drives… Cmd 39 Get current directory”

Command and Control

3 techniques

T1071.001Web ProtocolsEvidence2

"...final implant communicates over HTTPS on port 443 using HTTP profiles that resemble legitimate web analytics traffic..."; "The Trojan uses HTTPS for communicating with the C2 server..."

T1090ProxyEvidence2

“MIMICRAT… SOCKS5 tunneling… Cmd 101 SOCKS Configures SOCKS proxy channel”

T1219Remote Access ToolsEvidence1

“It functions as both a remote access trojan and information stealer, capable of executing commands…” / “NetSupport RAT infections…” / “MIMICRAT… delivers Custom RAT…”

Exfiltration

1 technique

T1041Exfiltration Over C2 ChannelEvidence1

“HTTP POST Profile: Data Exfiltration… Cmd 11 Read file… and exfiltrates contents to C2”

Other

2 techniques

T1562.001Disable or Modify ToolsEvidence2

"...performs ETW and AMSI bypass..."; "...patches... antivirus scanning (AMSI)..."

T1562.002Disable Windows Event LoggingEvidence1

“patches its value to 0, effectively disabling Event Tracing for Windows… blinding PowerShell script block logging.”

ACTIVITY FEED

Recent activity

5 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

5 SOURCESView more in app

risky biz rssNews

Feb 23, 2026

AI-driven hacking campaign breaches 600+ Fortinet devices

C++ remote access trojan delivered through ClickFix social-engineering style campaigns to establish remote control of victim machines.

security affairsNews

Feb 22, 2026

SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 85

Custom remote access trojan delivered via a ClickFix campaign using compromised legitimate websites (per the article title).

ctoatncsc substackNews

Feb 21, 2026

CTO at NCSC Summary: week ending February 22nd

Custom remote access trojan delivered via ClickFix technique from compromised legitimate websites; described as mimicking C2 frameworks.

the hacker newsNews

Feb 20, 2026

ClickFix Campaign Abuses Compromised Sites to Deploy MIMICRAT RAT

Custom C++ remote access trojan delivered via a multi-stage PowerShell chain (including ETW/AMSI bypass) and a Lua-based in-memory shellcode loader; communicates with C2 over HTTPS (port 443) using web-analytics-like HTTP profiles; supports token impersonation, interactive shell, process/file control, shellcode injection, and SOCKS5 tunneling.

+1 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping16

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.