MIMICRAT (aka AstarionRAT) ClickFix-delivered RAT activity
Malware Activity
Summary
Hide ▲
Show ▼
The MIMICRAT (aka AstarionRAT) malware has been disclosed as a ClickFix-delivered RAT that enables Windows token impersonation and SOCKS5 tunneling, increasing the risk of stealthy post-exploitation access. Its delivery chain uses compromised legitimate sites, a fake Cloudflare verification page, and a multi-stage PowerShell loader before the implant runs in memory. The activity matters because the malware supports interactive shell control, process and file-system operations, and shellcode injection for follow-on intrusion.
Related Happenings
TONResolver RAT delivered via ZIP, LNK, and PowerShell
Malware Activity
H score22
First: 30.06.2026 13:30
Last: 30.06.2026 13:30
Sources 1
About this happening:
The **TONResolver** malware implant was delivered through a **ZIP/LNK/PowerShell** chain that can establish a **remote access trojan** foothold and enable **command execution**. T...
TONResolver RAT delivered via ZIP, LNK, and PowerShell
Malware ActivityAbout this happening: The **TONResolver** malware implant was delivered through a **ZIP/LNK/PowerShell** chain that can establish a **remote access trojan** foothold and enable **command execution**. T...
TonRAT Node.js implant with TON blockchain C2
Malware Activity
H score24
First: 26.06.2026 12:27
Last: 26.06.2026 12:27
Sources 1
About this happening:
**TonRAT** is using a **Node.js implant** to hide command-and-control lookups behind the **TON blockchain API**, increasing the chance that blocking and detection will fail. The a...
TonRAT Node.js implant with TON blockchain C2
Malware ActivityAbout this happening: **TonRAT** is using a **Node.js implant** to hide command-and-control lookups behind the **TON blockchain API**, increasing the chance that blocking and detection will fail. The a...
Windows cryptocurrency clipper campaign targeting users via USB LNK worms
Campaign
H score32
First: 18.06.2026 17:30
Last: 18.06.2026 17:30
Sources 1
About this happening:
A **Windows cryptocurrency clipper campaign** is actively targeting users since **February 2026**, putting clipboard data, wallet addresses, and seed phrases at risk. The operatio...
Windows cryptocurrency clipper campaign targeting users via USB LNK worms
CampaignAbout this happening: A **Windows cryptocurrency clipper campaign** is actively targeting users since **February 2026**, putting clipboard data, wallet addresses, and seed phrases at risk. The operatio...
Windows cryptocurrency clipper malware using USB LNK worming and Tor C2
Malware Activity
H score29
First: 18.06.2026 17:30
Last: 18.06.2026 17:30
Sources 1
About this happening:
A **Windows-based cryptocurrency clipper** has been active since **February 2026**, using **USB-delivered LNK** worming to steal wallet data and reroute payments. The malware adds...
Windows cryptocurrency clipper malware using USB LNK worming and Tor C2
Malware ActivityAbout this happening: A **Windows-based cryptocurrency clipper** has been active since **February 2026**, using **USB-delivered LNK** worming to steal wallet data and reroute payments. The malware adds...
AsyncRAT multi-stage delivery via trusted tools
Malware Activity
H score22
First: 11.06.2026 17:00
Last: 11.06.2026 17:00
Sources 1
About this happening:
A **Windows** malware chain is now delivering **AsyncRAT**, increasing the risk of **stealthy remote access** on targeted systems. The lure uses **AI study guides** and **develope...
AsyncRAT multi-stage delivery via trusted tools
Malware ActivityAbout this happening: A **Windows** malware chain is now delivering **AsyncRAT**, increasing the risk of **stealthy remote access** on targeted systems. The lure uses **AI study guides** and **develope...
Timeline
-
20.02.2026 13:55 2 articles · 4mo ago
Elastic Security Labs discloses ClickFix-delivered MIMICRAT campaign
Initial DisclosureElastic Security Labs disclosed a new ClickFix campaign that abused compromised legitimate sites, starting with bincheck[.]io, to deliver MIMICRAT (aka AstarionRAT), a custom C++ RAT with Windows token impersonation, SOCKS5 tunneling, and 22 post-exploitation commands. The delivery chain used a fake Cloudflare verification page, PowerShell execution, ETW and AMSI bypass, and a Lua-based loader that executed shellcode in memory; the campaign was discovered earlier this month and was associated with suspected ransomware deployment or data exfiltration.
Show sources
- ClickFix Campaign Abuses Compromised Sites to Deploy MIMICRAT RAT — thehackernews.com — 20.02.2026 13:55
- ClickFix Campaign Abuses Compromised Sites to Deploy MIMICRAT RAT — thehackernews.com — 20.02.2026 13:55