When Trust Becomes the Weapon: Inside the ClickFix/MIMICRAT Campaign Redefining Cyber Threats in 2026

In the early hours of February 2026, Elastic Security Labs researchers watching a stream of endpoint telemetry noticed something unusual: PowerShell processes launching with heavily obfuscated arguments on machines that had done nothing more suspicious than visit a legitimate financial services website. What they uncovered over the following days was not simply another malware campaign. It was a detailed, layered, and operationally sophisticated operation that crystallizes everything dangerous about the current threat landscape — a campaign that weaponizes human trust, abuses legitimate infrastructure, bypasses nearly every conventional defense, and drops a brand-new custom remote access trojan that had never been seen before.

The campaign, now tracked under the name MIMICRAT (which shares significant technical overlap with AstarionRAT, a related implant documented by Huntress in a parallel ClickFix campaign), is among the most advanced public examples yet of what has become one of the most dangerous social engineering techniques in cybersecurity: ClickFix. Understanding this campaign means understanding not just how one particular piece of malware works, but how the entire modern threat landscape has shifted — from technical exploits to psychological manipulation, from attacker-owned infrastructure to hijacked trusted websites, from commodity malware to bespoke implants built for surgical, long-term access.

The ClickFix Technique: From Nuisance to Nation-State Weapon

To fully appreciate the MIMICRAT campaign, it is necessary to understand the foundation it is built on. ClickFix is a social engineering technique that was first documented in late 2023 and proliferated rapidly through early 2024, growing into one of the most prolific initial access methods in cybersecurity. The technique is, in its essence, elegantly simple: instead of attempting to exploit a software vulnerability or tricking a user into downloading a malicious file, the attacker tricks the user into running a malicious command themselves.

A victim visits a website — legitimate or attacker-controlled — and is presented with what appears to be a verification prompt, a CAPTCHA check, or an error requiring resolution. The page instructs the user to press Windows Key + R to open the Run dialog, then paste a command from their clipboard and press Enter. The malicious JavaScript running in the background has already silently loaded that command into the clipboard. The victim, believing they are completing a routine verification step, executes attacker code directly on their own machine.

"ClickFix emerged as the most prevalent initial access method in Defender Expert notifications in 2025, representing 47% of observed incidents." — Microsoft 2025 Digital Defense Report

Microsoft Threat Intelligence first documented ClickFix in use between March and June 2024, deployed by a threat actor tracked as Storm-1607 in campaigns delivering DarkGate malware. By the end of 2024, the technique had flooded the threat landscape. One campaign in May 2024 alone sent tens of thousands of phishing emails targeting organizations in the United States and Canada. According to Infosecurity Magazine, ClickFix attacks surged 517% in 2025 compared to the prior year.

What makes the technique so dangerous is not its technical complexity — it has essentially none. What makes it dangerous is that it circumvents nearly every layer of traditional defense. There is no malicious file attachment to scan. There is no executable to flag. There is no URL download that web filtering can block. Security awareness training has for years drilled users not to open suspicious attachments and not to click suspicious links. ClickFix sidesteps both by turning the user into the unwitting executor of the attacker's code.

The technique spread rapidly from criminal groups to state-sponsored actors. According to research published by Proofpoint in April 2025, over a roughly three-month period spanning late 2024 through early 2025, threat actors from North Korea, Iran, and Russia all incorporated ClickFix into their standard espionage operations. Groups involved included TA427 (Kimsuky, North Korea), TA450 (MuddyWater, Iran), APT28 (Russia's GRU military intelligence directorate), and a suspected Russian group tracked as UNK_RemoteRogue.

"The incorporation of ClickFix is not revolutionizing the campaigns carried out by these groups, but instead is replacing the installation and execution stages in existing infection chains." — Proofpoint Threat Research Team

This migration from cybercrime to espionage is significant. Nation-state groups adopt techniques not because they are novel, but because they are proven. ClickFix's adoption by APT28 and Kimsuky signals to the broader security community that this technique works even against sophisticated, security-conscious targets. The technique has also expanded beyond Windows: in 2024, ClickFix variants targeting macOS were observed using fake Google Meet errors to deliver AppleScript-based infostealers, and by May 2025, Hunt.io documented APT36 (Transparent Tribe) adapting ClickFix for Linux systems in campaigns spoofing India's Ministry of Defence, using clipboard-delivered shell commands with conditional OS detection to serve tailored payloads across all three major desktop platforms. By early 2026, ClickFix-as-a-Service builders were being sold on dark web forums for between $200 and $1,500 per month, with some vendors promising antivirus bypass and Microsoft Defender SmartScreen evasion.

The MIMICRAT campaign represents the next evolutionary step in this progression: a ClickFix deployment sophisticated enough to deliver a completely custom-built remote access trojan across a five-stage infection chain, using compromised legitimate websites as its delivery infrastructure throughout.

Stage One: The Art of Borrowed Trust

The MIMICRAT campaign was discovered by Elastic Security Labs in early February 2026, with initial indicators published publicly on February 11, 2026, to allow the broader security community to begin hunting for the threat. As of the date of Elastic's full report on February 20, 2026, the campaign remained active.

The entry point for victims was bincheck.io, a legitimate Bank Identification Number (BIN) validation service widely used by merchants and developers to verify payment card data. The threat actor did not build a lookalike site. They did not purchase a deceptive domain. Instead, they compromised the real website and injected a malicious JavaScript snippet directly into its pages. That snippet dynamically loaded an external script hosted at a second compromised website: investonline.in, a legitimate Indian mutual fund investment platform operated by Abchlor Investments Pvt. Ltd.

The external script was named to impersonate the jQuery JavaScript library, the most widely used JavaScript framework in the world. To any automated security scanner reviewing the resources loaded by the page, or to any analyst casually reviewing network traffic, the request would look indistinguishable from a standard jQuery library load. This layering of compromised legitimate infrastructure over compromised legitimate infrastructure creates a detection problem that is genuinely difficult to solve: how does an organization block requests to real, trusted websites that have been silently turned into attack infrastructure?

It is this remotely loaded script that delivers the ClickFix lure. A fake Cloudflare verification page appears, instructing the victim to paste and execute a command to resolve a supposed connectivity issue. The malicious PowerShell command is silently copied to the victim's clipboard by the JavaScript. The victim opens the Run dialog, pastes the command, and presses Enter. No file is downloaded. No browser warning fires. The attack has succeeded.

Identified victims spanned multiple geographies, including a United States-based university and multiple Chinese-speaking users documented in public forum discussions, suggesting broad opportunistic targeting across industries and regions. Researchers at Huntress also documented related campaigns using similar infrastructure and techniques, indicating parallel operations running simultaneously. In a particularly notable parallel tracked by Huntress in February 2026, a separate ClickFix campaign delivered the premium Matanbuchus 3.0 loader — a Malware-as-a-Service product priced at up to $15,000 per month on Russian-speaking underground forums — which in turn deployed a related implant called AstarionRAT. That campaign featured hands-on-keyboard intrusion activity moving from initial compromise to domain controllers in under 40 minutes, with the apparent objective of ransomware deployment or data exfiltration. The shared use of Lua 5.4.7 interpreters, reflective loading, and RSA-encrypted C2 disguised as application telemetry across both MIMICRAT and AstarionRAT suggests either a shared development lineage or overlapping threat actor toolkits.

Stages Two and Three: Blinding the Defenders

Once the victim executes the clipboard command, the attack transitions from social engineering to technical tradecraft. The first PowerShell command is intentionally compact and obfuscated, using string slicing and arithmetic index operations on a single seed string to reconstruct both the target domain and the PowerShell invocation mechanism at runtime. This means the command contains no plaintext reference to a command-and-control server or any recognizable PowerShell cmdlet name, defeating static signature detection entirely.

The first command contacts a C2 server resolving to the IP address 45.13.212.250 and downloads a second-stage PowerShell script. This second script is where the campaign's most technically sophisticated evasion takes place. All strings within it are constructed at runtime by resolving arithmetic expressions to ASCII character values, rendering the script entirely opaque to static analysis. The script then executes four sequential operations before doing anything else, all aimed at disabling the security mechanisms that would otherwise detect and block everything that follows.

Disabling Event Tracing for Windows (ETW)

Event Tracing for Windows is the primary mechanism through which Windows logs and audits process activity, including PowerShell script block logging. The script accesses the internal m_enabled field of the System.Diagnostics.Eventing.EventProvider class via reflection and patches its value to zero, effectively disabling ETW and making PowerShell script block logging cease to function. After this point, the attacker is operating in a blind spot from the perspective of any SIEM or log management system relying on Windows event logging.

Disabling the Antimalware Scan Interface (AMSI)

AMSI is the layer that allows antivirus and endpoint detection tools to scan script content at runtime, even when it has been obfuscated. The script sets the amsiInitFailed field within System.Management.Automation.AmsiUtils to true via reflection, causing PowerShell to skip all AMSI content scanning for the remainder of the session. This is a well-known bypass technique, but what makes this deployment notable is that the campaign uses not just the field-setting approach but also a secondary memory-patching technique — overwriting method pointers via Marshal.Copy to redirect execution away from the ScanContent function entirely. This double AMSI bypass provides redundancy: if one method fails or is detected, the other still neutralizes the protection.

With both ETW and AMSI stripped from the environment, the second-stage script decodes a base64-encoded ZIP archive, extracts it to a randomly named directory under the ProgramData folder, and executes a contained binary called zbuild.exe. Temporary artifacts are cleaned up after execution.

Stage Three: The Lua Loader

The zbuild.exe binary is a custom Lua 5.4.7 loader with a statically embedded Lua interpreter. It decrypts an embedded Lua script using an XOR routine at runtime, then executes the script. The Lua script implements a custom Base64 decoder using a non-standard alphabet to decode embedded shellcode, which is then allocated in executable memory and executed entirely in-memory. Nothing about the final payload ever touches disk in a form that static antivirus analysis would recognize. Lua is an unusual choice for a malware component — it is a lightweight scripting language not commonly associated with malicious tooling, which may help the loader evade behavioral detection rules tuned for more typical malware patterns.

Stage Four: The Meterpreter Gateway

The shellcode executed in memory matched Meterpreter-related signatures, according to Elastic Security Labs analysis. Meterpreter is the post-exploitation payload component of the Metasploit Framework, one of the most widely used penetration testing platforms in the world. The shellcode stage functions as a loader consistent with the Meterpreter code-family, reflectively loading the final MIMICRAT payload directly into memory. Reflective loading means the implant is never written to disk as a recognizable executable at any stage of the process, making memory forensics the only viable recovery path.

The use of Meterpreter-style shellcode as an intermediate stage is instructive. It suggests the threat actor is comfortable working with established post-exploitation frameworks while simultaneously investing in a completely custom final payload. The Meterpreter stage provides reliable, memory-safe loading without requiring the actor to reinvent that mechanism, while MIMICRAT itself provides the unique, hard-to-detect capabilities needed for persistent access.

Stage Five: MIMICRAT — A Surgeon's Toolkit for Long-Term Access

The final payload, MIMICRAT, is where the full scope of the threat actor's investment becomes clear. Compiled with Microsoft Visual Studio (MSVC x64) with compilation metadata pointing to January 29, 2026 — roughly two weeks before Elastic first observed the campaign in endpoint telemetry — MIMICRAT is a native C++ implant built from scratch. It does not match any known open-source C2 framework. It implements its own malleable HTTP C2 profiles, its own command architecture, and its own layered encryption scheme.

Command and Control Architecture

MIMICRAT communicates with its C2 server over HTTPS on port 443, using a ten-second callback interval. The C2 server hostname is RC4-encrypted within the binary's configuration data, decrypted at runtime using a 100-character key. Post-decryption, the C2 connects to a CloudFront relay hosted on Amazon's content delivery network — a deliberate choice, since HTTPS traffic to CloudFront domains is effectively indistinguishable from traffic to millions of legitimate websites using the same CDN.

The layered encryption scheme is sophisticated. An embedded RSA-1024 public key handles asymmetric session key exchange. AES is used for symmetric encryption of C2 traffic, with a hardcoded initialization vector and a session key derived from the SHA-256 hash of a randomly generated alphanumeric value. The result is that even if network traffic is captured and decrypted at the TLS layer, the application-layer content remains protected by another encryption layer beneath it.

The GET profile used for check-in and tasking mimics a Cortana analytics request, using a Microsoft Edge user agent string and a Google referrer header with an Accept-Language value of zh-CN — Chinese (Simplified). The POST profile used for data exfiltration mimics Google services traffic. Both profiles are designed to look like routine browser activity to network monitoring tools and human analysts reviewing traffic logs.

Post-Exploitation Capabilities

MIMICRAT implements 22 distinct commands across a comprehensive post-exploitation surface. These include process and file system control, interactive shell access, Windows token theft and impersonation, shellcode injection into arbitrary processes, and SOCKS5 proxy tunneling. The beacon interval and jitter are configurable by the operator at runtime.

The Windows token theft capability is particularly significant. Token impersonation allows MIMICRAT to steal the security token of any running process by its process ID and execute new processes under the identity of that token — including processes running as SYSTEM or as other users. Combined with SOCKS5 tunneling, which allows the attacker to proxy network traffic through the victim machine to reach otherwise-inaccessible internal resources, MIMICRAT provides everything an attacker needs for full lateral movement across a network from a single foothold.

Infrastructure analysis by Elastic Security Labs identified two clusters: an initial payload delivery infrastructure (the 45.13.212.250 and 45.13.212.251 addresses) and a separate post-exploitation C2 cluster including 23.227.202.114 and the domain ndibstersoft.com, in addition to the CloudFront relay. This separation of delivery and post-exploitation infrastructure is a standard operational security practice among sophisticated actors, designed to limit exposure if any single component is identified and blocked.

"The campaign demonstrates a high level of operational sophistication: compromised sites spanning multiple industries and geographies serve as delivery infrastructure, a multi-stage PowerShell chain performs ETW and AMSI bypass before dropping a Lua-scripted shellcode loader, and the final implant communicates over HTTPS on port 443 using HTTP profiles that resemble legitimate web analytics traffic." — Elastic Security Labs, February 20, 2026

Connecting the Dots: Why This Campaign Matters

Viewed in isolation, the MIMICRAT campaign is a technically impressive but discrete malware operation. Viewed in context, it is a data point in a broader and deeply concerning trend. Every element of this campaign was specifically chosen to defeat a specific category of defense.

The use of compromised legitimate websites instead of attacker-registered domains defeats domain reputation filtering and threat intelligence feeds that block known-bad infrastructure. The ClickFix technique defeats browser-based download protections and traditional phishing awareness training. The ETW bypass defeats PowerShell script block logging and SIEM visibility. The AMSI bypass defeats runtime antivirus scanning. The Lua loader defeats behavioral signatures tuned for common malware languages. The reflective in-memory loading defeats file-based detection. The CloudFront relay and web analytics C2 profiles defeat network-based anomaly detection. The layered RSA/AES encryption defeats protocol-level decryption. The SOCKS5 tunneling defeats network segmentation. The token impersonation defeats user-privilege-based controls.

This is not a list of incidental features. It is a checklist of defeated defenses, each item representing a specific layer of enterprise security architecture that has been studied, understood, and systematically neutralized. The actor behind this campaign has either invested significant resources in developing a deep understanding of enterprise defensive architectures, or has access to experience and knowledge that comes from operating inside those environments. This level of operational sophistication is historically associated with nation-state actors or highly mature criminal organizations with nation-state-caliber resources, though attribution has not yet been established.

The 17-language localization of the lure content is another indicator worth examining carefully. Localizing social engineering content for 17 languages is not a small investment. It reflects either a very large target pool or a very specific desire to avoid geographic clustering that would make attribution easier. The presence of Chinese-language targets and a Chinese-language Accept-Language header in the C2 profile adds an additional layer of ambiguity. Whether this reflects the origin of the actor, the primary target set, or deliberate false-flag activity is not yet established.

It is also worth noting the timing of the campaign relative to the maturation of ClickFix as an attack technique. By February 2026, ClickFix has existed as a technique for roughly two years since its first widespread deployment in early 2024. In that time, it has been adopted by criminal actors, commoditized into purchasable kits, incorporated by nation-state APT groups from at least three different countries, expanded from Windows-only to cross-platform targeting of macOS and Linux, and now deployed as the initial access mechanism for a custom-built RAT with capabilities that rival commercial offensive security tools. The speed of this evolution — from niche criminal trick to APT-level deployment vehicle in two years — reflects the broader acceleration of threat actor sophistication that has defined the past several years.

What This Means for Defenders: A Realistic Assessment

The honest assessment for any organization reviewing this campaign is uncomfortable: many enterprise security stacks would not have detected this attack at any of its individual stages. The initial access is invisible to URL filtering and antivirus because no file is downloaded and no known-bad URL is contacted. The ETW bypass eliminates the primary log source many SIEM rules rely on for PowerShell detection. The AMSI bypass eliminates runtime scanning. The in-memory execution eliminates file-based detection. The CloudFront C2 eliminates domain reputation blocking. The web analytics profile eliminates many network anomaly detection approaches.

This does not mean the campaign is undetectable. It means detection requires a layered, behavioral, and context-aware approach rather than a signature-based one. The specific behaviors that remain detectable include: PowerShell processes launched from the Run dialog with obfuscated arguments; clipboard-to-execution patterns that can be flagged by endpoint detection platforms watching for that specific behavior sequence; reflection-based calls to AmsiUtils and EventProvider that represent known bypass patterns even if the string representation is obfuscated; network connections to CloudFront with unusual GET and POST URI patterns; and process tokens being duplicated and used to spawn new processes from unexpected parent-child relationships.

Elastic Security Labs published YARA rules for MIMICRAT upon disclosure, and the broader threat intelligence community has been sharing indicators of compromise. Organizations using endpoint detection platforms with behavioral analysis capabilities — as opposed to purely signature-based tools — have the best chance of catching this activity. Network monitoring that looks beyond simple domain reputation to include URI pattern analysis and HTTP header profiling would catch the C2 communication.

Security Awareness Training Needs to Evolve

Perhaps the most actionable near-term mitigation is not a technical control at all. The ClickFix technique — the entire foundation of this campaign — is defeated by a single piece of knowledge that has not yet made it into standard security awareness training curricula: no legitimate website, service, or IT department will ever ask a user to paste a command into the Run dialog or a terminal window. This is not a normal or legitimate user action. It has no legitimate counterpart in the normal operation of websites or business software.

The attack doesn't need an exploit. It needs a person who doesn't think twice. That's the part worth fixing first.

Security awareness programs should be updated immediately to include explicit, clear instruction on this point, ideally accompanied by simulated ClickFix exercises. The Proofpoint research showing APT groups adopting the technique validates that even technically sophisticated, security-conscious organizations have employees who can be tricked by this method. The defense is not technical sophistication — it is awareness and habit.

Conclusion: The Age of Weaponized Trust

The ClickFix/MIMICRAT campaign is not a story about a clever piece of malware. It is a story about the systematic weaponization of trust at every level of the security stack. Trust in legitimate websites. Trust in cloud providers. Trust in verification workflows. Trust in the human instinct to fix things when instructed by an authority. Trust in the very infrastructure — CloudFront, HTTPS, web analytics — that organizations have built their security monitoring assumptions around.

Elastic Security Labs researcher Salim Bitam, who authored the primary technical analysis, noted that the campaign remains active as of the date of publication. The novelty of the final payload, the sophistication of the delivery infrastructure, and the investment in 17-language localization all suggest an actor with significant resources, operational discipline, and long-term objectives. Whether this campaign is the work of a criminal organization with APT-caliber capabilities, a nation-state actor operating under financial motivations, or something in between, it represents a meaningful escalation in the capabilities being deployed against organizations through ClickFix-style social engineering.

The trajectory is clear. ClickFix was first documented in late 2023 and became a niche criminal tactic through early 2024. By mid-2024 it was a dominant initial access method. By late 2024 it had been adopted by state-sponsored groups from three countries and had expanded to target macOS and Linux in addition to Windows. By early 2026 it is the delivery mechanism for a custom-built RAT that systematically defeats nearly every layer of conventional enterprise defense. The question organizations should be asking is not whether this technique will be used against them. It is whether they have updated their defenses, their awareness training, and their detection logic to account for a threat landscape where the user's own hands are the most dangerous attack vector in the room.

Indicators of Compromise

Sources and References