This threat involves a fileless malware campaign distributing AsyncRAT, a remote access trojan, targeting primarily German-speaking users through websites themed around the 'Clickfix' concept. The attack vector leverages a fake 'I'm not a robot' CAPTCHA prompt to trick victims into executing malicious PowerShell commands. These commands then download and execute obfuscated C# code directly in memory, avoiding any disk writes and thereby evading traditional file-based detection mechanisms. The in-memory execution allows the attacker to establish full remote control over the compromised system, enabling credential theft, data exfiltration, and other malicious activities. Persistence is maintained by creating or modifying registry keys, ensuring the malware survives system reboots. Communication with the attacker’s command and control (C2) infrastructure occurs over port 4444, facilitating ongoing control and data transfer. The campaign has been active since at least April 2025 and is focused on German-speaking regions, with indicators including multiple IP addresses and the domain 'namoet.de'. The use of obfuscation and fileless techniques complicates detection and mitigation. The attack employs multiple MITRE ATT&CK techniques such as T1056.001 (Input Capture: Keylogging), T1140 (Deobfuscate/Decode Files or Information), T1059.001 (PowerShell), T1547.001 (Registry Run Keys/Startup Folder), T1571 (Non-Standard Port), T1027 (Obfuscated Files or Information), T1127.001 (Trusted Developer Utilities Proxy Execution), T1071.001 (Web Protocols), T1105 (Ingress Tool Transfer), and T1055.001 (Process Injection). This combination highlights a sophisticated, stealthy approach to compromise and maintain control over victim systems without leaving traditional forensic artifacts on disk.

European organizations, especially those in German-speaking countries such as Germany, Austria, and parts of Switzerland, face significant risks from this campaign. The fileless nature of the malware reduces the likelihood of detection by conventional antivirus solutions, increasing the chance of prolonged undetected access. Compromise can lead to unauthorized remote control of critical systems, theft of sensitive credentials, and exfiltration of confidential data, potentially impacting business operations, intellectual property, and customer privacy. The persistence mechanism via registry keys means that infected systems may remain compromised even after reboots, complicating remediation efforts. The use of PowerShell and obfuscated C# code in memory also suggests that organizations relying heavily on Windows environments with PowerShell enabled are particularly vulnerable. The campaign’s targeting of German-speaking users indicates a focus on organizations with German language interfaces or localized websites, which may include government agencies, manufacturing, finance, and technology sectors prevalent in these regions. The exploitation of web-based social engineering (fake CAPTCHA) also implies that employees’ security awareness is a critical factor. Overall, the campaign poses a medium to high operational risk, with potential for data breaches, espionage, and disruption of services.

To effectively mitigate this threat, European organizations should implement targeted and advanced defensive measures beyond generic best practices. First, enforce strict PowerShell logging and enable PowerShell Constrained Language Mode or Application Control policies (e.g., AppLocker or Windows Defender Application Control) to restrict unauthorized script execution. Deploy endpoint detection and response (EDR) solutions capable of in-memory scanning and behavioral analysis to detect obfuscated code execution and process injection activities. Monitor and alert on suspicious registry modifications, particularly those related to persistence mechanisms (e.g., Run keys). Network defenses should include blocking outbound traffic to known malicious IP addresses and domains associated with the campaign (e.g., the listed 109.250.x.x IP range and namoet.de domain), and restricting or monitoring traffic on non-standard ports such as 4444. Conduct regular phishing and social engineering awareness training tailored to recognize fake CAPTCHA prompts and other web-based lures. Implement multi-factor authentication (MFA) to reduce the impact of credential theft. Regularly audit and harden browser and PowerShell configurations to limit script-based exploitation. Finally, maintain up-to-date threat intelligence feeds to quickly identify and respond to emerging indicators related to this campaign.