Find notable cyber news and cases, enriched with sources, timelines, and signals.

MIMICRAT (aka AstarionRAT) ClickFix-delivered RAT activity

Malware Activity
First reported
Last updated
Happening score
H score 22
1 unique sources, 1 articles

Summary

Hide ▲

The MIMICRAT (aka AstarionRAT) malware has been disclosed as a ClickFix-delivered RAT that enables Windows token impersonation and SOCKS5 tunneling, increasing the risk of stealthy post-exploitation access. Its delivery chain uses compromised legitimate sites, a fake Cloudflare verification page, and a multi-stage PowerShell loader before the implant runs in memory. The activity matters because the malware supports interactive shell control, process and file-system operations, and shellcode injection for follow-on intrusion.

Related Happenings

TONResolver RAT delivered via ZIP, LNK, and PowerShell

Malware Activity
H score22 First: 30.06.2026 13:30 Last: 30.06.2026 13:30 Sources 1

About this happening: The **TONResolver** malware implant was delivered through a **ZIP/LNK/PowerShell** chain that can establish a **remote access trojan** foothold and enable **command execution**. T...

TonRAT Node.js implant with TON blockchain C2

Malware Activity
H score24 First: 26.06.2026 12:27 Last: 26.06.2026 12:27 Sources 1

About this happening: **TonRAT** is using a **Node.js implant** to hide command-and-control lookups behind the **TON blockchain API**, increasing the chance that blocking and detection will fail. The a...

Windows cryptocurrency clipper campaign targeting users via USB LNK worms

Campaign
H score32 First: 18.06.2026 17:30 Last: 18.06.2026 17:30 Sources 1

About this happening: A **Windows cryptocurrency clipper campaign** is actively targeting users since **February 2026**, putting clipboard data, wallet addresses, and seed phrases at risk. The operatio...

Windows cryptocurrency clipper malware using USB LNK worming and Tor C2

Malware Activity
H score29 First: 18.06.2026 17:30 Last: 18.06.2026 17:30 Sources 1

About this happening: A **Windows-based cryptocurrency clipper** has been active since **February 2026**, using **USB-delivered LNK** worming to steal wallet data and reroute payments. The malware adds...

AsyncRAT multi-stage delivery via trusted tools

Malware Activity
H score22 First: 11.06.2026 17:00 Last: 11.06.2026 17:00 Sources 1

About this happening: A **Windows** malware chain is now delivering **AsyncRAT**, increasing the risk of **stealthy remote access** on targeted systems. The lure uses **AI study guides** and **develope...

Timeline

  1. 20.02.2026 13:55 2 articles · 4mo ago

    Elastic Security Labs discloses ClickFix-delivered MIMICRAT campaign

    Initial Disclosure

    Elastic Security Labs disclosed a new ClickFix campaign that abused compromised legitimate sites, starting with bincheck[.]io, to deliver MIMICRAT (aka AstarionRAT), a custom C++ RAT with Windows token impersonation, SOCKS5 tunneling, and 22 post-exploitation commands. The delivery chain used a fake Cloudflare verification page, PowerShell execution, ETW and AMSI bypass, and a Lua-based loader that executed shellcode in memory; the campaign was discovered earlier this month and was associated with suspected ransomware deployment or data exfiltration.

    Show sources