MIMICRAT: ClickFix Campaign Delivers Custom RAT via Compromised Legitimate Websites
Essential information
- Published
- 20/02/2026 14:51
- Modified
- 20/02/2026 21:43
- Tags
- 2026-02-20 clickfix compromised websites lua loader mimicrat multi-stage attack powershell rat socks5 proxy token theft
- Related entities
- 8 observables, 10 techniques (mitre), 7 others
Description
A sophisticated ClickFix campaign has been uncovered, compromising legitimate websites to deliver a multi-stage malware chain. The attack culminates in MIMICRAT, a custom remote access trojan with advanced capabilities. The campaign uses compromised sites across industries and geographies for delivery, employing a five-stage PowerShell chain that bypasses security measures before deploying a Lua-scripted shellcode loader. MIMICRAT, the final payload, is a native C++ RAT featuring malleable C2 profiles, Windows token theft, and SOCKS5 proxy functionality. The attack chain involves multiple compromised websites, obfuscated scripts, and sophisticated evasion techniques, demonstrating a high level of operational sophistication.