ClickFix Campaign Deploys MIMICRAT RAT via Compromised Websites

First reported

20.02.2026 13:55

Last updated

1 unique sources, 1 articles

Summary

Hide ▲

A sophisticated ClickFix campaign abuses compromised legitimate websites to deliver MIMICRAT (AstarionRAT), a custom C++ remote access trojan (RAT). The campaign uses a multi-stage PowerShell chain to bypass security mechanisms and deploy the RAT, which supports Windows token impersonation, SOCKS5 tunneling, and 22 post-exploitation commands. The campaign targets victims across multiple geographies and languages, with suspected goals of ransomware deployment or data exfiltration.

Timeline

20.02.2026 13:55 1 articles · 10h ago

ClickFix Campaign Deploys MIMICRAT RAT via Compromised Websites
A sophisticated ClickFix campaign abuses compromised legitimate websites to deliver MIMICRAT, a custom C++ RAT with advanced post-exploitation capabilities. The campaign uses a multi-stage PowerShell chain to bypass security mechanisms and deploy the RAT, which communicates over HTTPS to evade detection. The campaign targets victims across multiple geographies and languages, with suspected goals of ransomware deployment or data exfiltration.
Show sources

ClickFix Campaign Abuses Compromised Sites to Deploy MIMICRAT RAT — thehackernews.com — 20.02.2026 13:55
Open in new tab

Information Snippets

The ClickFix campaign abuses compromised legitimate websites across multiple industries and geographies to deliver MIMICRAT.
First reported: 20.02.2026 13:55

1 source, 1 article
Show sources
- ClickFix Campaign Abuses Compromised Sites to Deploy MIMICRAT RAT — thehackernews.com — 20.02.2026 13:55
MIMICRAT is a custom C++ RAT with capabilities for Windows token impersonation, SOCKS5 tunneling, and 22 post-exploitation commands.
First reported: 20.02.2026 13:55

1 source, 1 article
Show sources
- ClickFix Campaign Abuses Compromised Sites to Deploy MIMICRAT RAT — thehackernews.com — 20.02.2026 13:55
The campaign uses a multi-stage PowerShell chain to bypass ETW and AMSI before dropping a Lua-scripted shellcode loader.
First reported: 20.02.2026 13:55

1 source, 1 article
Show sources
- ClickFix Campaign Abuses Compromised Sites to Deploy MIMICRAT RAT — thehackernews.com — 20.02.2026 13:55
The final implant communicates over HTTPS on port 443, mimicking legitimate web analytics traffic.
First reported: 20.02.2026 13:55

1 source, 1 article
Show sources
- ClickFix Campaign Abuses Compromised Sites to Deploy MIMICRAT RAT — thehackernews.com — 20.02.2026 13:55
The campaign shares tactical and infrastructural overlaps with another ClickFix campaign that deploys the Matanbuchus 3.0 loader.
First reported: 20.02.2026 13:55

1 source, 1 article
Show sources
- ClickFix Campaign Abuses Compromised Sites to Deploy MIMICRAT RAT — thehackernews.com — 20.02.2026 13:55
The entry point for the infection is bincheck[.]io, a legitimate BIN validation service breached to inject malicious JavaScript.
First reported: 20.02.2026 13:55

1 source, 1 article
Show sources
- ClickFix Campaign Abuses Compromised Sites to Deploy MIMICRAT RAT — thehackernews.com — 20.02.2026 13:55
The campaign supports 17 languages, dynamically localizing content based on the victim's browser settings.
First reported: 20.02.2026 13:55

1 source, 1 article
Show sources
- ClickFix Campaign Abuses Compromised Sites to Deploy MIMICRAT RAT — thehackernews.com — 20.02.2026 13:55
Identified victims include a USA-based university and multiple Chinese-speaking users.
First reported: 20.02.2026 13:55

1 source, 1 article
Show sources
- ClickFix Campaign Abuses Compromised Sites to Deploy MIMICRAT RAT — thehackernews.com — 20.02.2026 13:55