ClickFix Campaign Uses Compromised Sites to Deploy MIMICRAT
🔒 Elastic Security Labs disclosed a ClickFix campaign that leverages compromised legitimate websites to deliver a new remote access trojan named MIMICRAT. Attackers inject JavaScript to load an externally hosted PHP lure that shows a fake Cloudflare verification page and tricks victims into running a PowerShell command. A multi-stage PowerShell chain performs ETW and AMSI bypasses, then drops a Lua-based in-memory loader which decrypts shellcode to install the RAT. MIMICRAT communicates over HTTPS on port 443 using profiles that mimic web analytics and supports localized lures in 17 languages to widen impact.
