MIMICRAT (aka AstarionRAT) ClickFix-delivered RAT activity
Malware Activity
Summary
Hide ▲
Show ▼
The MIMICRAT (aka AstarionRAT) malware has been disclosed as a ClickFix-delivered RAT that enables Windows token impersonation and SOCKS5 tunneling, increasing the risk of stealthy post-exploitation access. Its delivery chain uses compromised legitimate sites, a fake Cloudflare verification page, and a multi-stage PowerShell loader before the implant runs in memory. The activity matters because the malware supports interactive shell control, process and file-system operations, and shellcode injection for follow-on intrusion.
Related Happenings
ClickFix attacks with PySoxy scheduled-task persistence
Malware Activity
First: 12.05.2026 15:00
Last: 12.05.2026 15:00
Sources 1
About this happening:
Cybercriminals are combining **ClickFix** with **PySoxy** to preserve access on victim machines, letting activity restart even after removal attempts. The setup uses a **Python SO...
ClickFix attacks with PySoxy scheduled-task persistence
Malware ActivityAbout this happening: Cybercriminals are combining **ClickFix** with **PySoxy** to preserve access on victim machines, letting activity restart even after removal attempts. The setup uses a **Python SO...
DeepLoad credential-stealing malware activity with WMI persistence
Malware Activity
First: 31.03.2026 00:25
Last: 31.03.2026 00:25
Sources 1
About this happening:
The **DeepLoad** malware strain is stealing credentials immediately after infection, exposing **stored browser passwords**, **live keystrokes**, and **active accounts** in **enter...
DeepLoad credential-stealing malware activity with WMI persistence
Malware ActivityAbout this happening: The **DeepLoad** malware strain is stealing credentials immediately after infection, exposing **stored browser passwords**, **live keystrokes**, and **active accounts** in **enter...
LeakNet ClickFix compromised-website targeting campaign
Campaign
First: 17.03.2026 16:34
Last: 17.03.2026 16:34
Sources 1
About this happening:
The **LeakNet** ransomware operation has shifted to **ClickFix** delivery through **compromised websites**, broadening its initial access playbook and making compromise harder to...
LeakNet ClickFix compromised-website targeting campaign
CampaignAbout this happening: The **LeakNet** ransomware operation has shifted to **ClickFix** delivery through **compromised websites**, broadening its initial access playbook and making compromise harder to...
LeakNet ransomware gang ClickFix and Deno in-memory loader activity
Malware Activity
First: 17.03.2026 14:09
Last: 17.03.2026 14:09
Sources 1
About this happening:
The **LeakNet ransomware gang** has adopted **ClickFix** initial access and a **Deno-based loader** that executes malicious code in memory, making intrusions harder to detect and...
LeakNet ransomware gang ClickFix and Deno in-memory loader activity
Malware ActivityAbout this happening: The **LeakNet ransomware gang** has adopted **ClickFix** initial access and a **Deno-based loader** that executes malicious code in memory, making intrusions harder to detect and...
MacSync macOS infostealer with dynamic AppleScript and in-memory execution
Malware Activity
First: 16.03.2026 13:41
Last: 16.03.2026 13:41
Sources 1
About this happening:
The **MacSync** macOS infostealer now uses **dynamic AppleScript payloads** and **in-memory execution** to reduce static detection and complicate response. It is being delivered t...
MacSync macOS infostealer with dynamic AppleScript and in-memory execution
Malware ActivityAbout this happening: The **MacSync** macOS infostealer now uses **dynamic AppleScript payloads** and **in-memory execution** to reduce static detection and complicate response. It is being delivered t...
Latest development: 10.05.2026 20:52
A MacSync macOS infostealer campaign is abusing Google Ads and legitimate Claude.ai shared chats to lure users searching for "Claude mac download" into following Terminal instructions that download and run malware on their Mac. One observed variant uses polymorphic delivery, checks for Russian or CIS-region keyboard input sources and sends a cis_blocked ping before exiting, then profiles the victim with external IP address, hostname, OS version, and keyboard locale before using osascript to run a second-stage payload; another variant skips profiling and exfiltrates browser credentials, cookies, and macOS Keychain contents.
Timeline
-
20.02.2026 13:55 2 articles · 3mo ago
Elastic Security Labs discloses ClickFix-delivered MIMICRAT campaign
Initial DisclosureElastic Security Labs disclosed a new ClickFix campaign that abused compromised legitimate sites, starting with bincheck[.]io, to deliver MIMICRAT (aka AstarionRAT), a custom C++ RAT with Windows token impersonation, SOCKS5 tunneling, and 22 post-exploitation commands. The delivery chain used a fake Cloudflare verification page, PowerShell execution, ETW and AMSI bypass, and a Lua-based loader that executed shellcode in memory; the campaign was discovered earlier this month and was associated with suspected ransomware deployment or data exfiltration.
Show sources
- ClickFix Campaign Abuses Compromised Sites to Deploy MIMICRAT RAT — thehackernews.com — 20.02.2026 13:55
- ClickFix Campaign Abuses Compromised Sites to Deploy MIMICRAT RAT — thehackernews.com — 20.02.2026 13:55