The MIMICRAT ClickFix campaign represents a highly sophisticated cyberattack that compromises legitimate websites across various industries and regions to serve as infection vectors. The attack unfolds through a multi-stage process beginning with a five-stage PowerShell chain designed to bypass security controls and evade detection. This chain ultimately deploys a Lua-scripted shellcode loader, which then loads MIMICRAT, a custom-built native C++ remote access trojan. MIMICRAT is engineered with advanced capabilities including malleable C2 profiles that allow flexible command-and-control communication, Windows token theft to escalate privileges and impersonate users, and SOCKS5 proxy functionality enabling attackers to route traffic through infected hosts for stealth and lateral movement. The campaign leverages obfuscated scripts and multiple compromised websites, complicating detection and attribution. The use of legitimate websites for delivery increases the likelihood of successful infection as users and security tools may trust these sites. The campaign’s indicators include specific domains such as xmri.network, investonline.in, and wexmri.cc, along with numerous file hashes and an IP address (45.13.212.250). The attack techniques align with MITRE ATT&CK tactics including process injection (T1055), scheduled task execution (T1053), obfuscated files or information (T1562), and user execution (T1204). Despite no known exploits in the wild or CVSS score, the campaign’s operational sophistication and multi-stage evasion techniques mark it as a significant threat.

Organizations worldwide face risks including unauthorized remote access, credential and token theft, and the potential for attackers to use infected systems as proxies for further attacks. The Windows token theft capability enables privilege escalation and lateral movement within networks, increasing the potential for data breaches and system compromise. The SOCKS5 proxy feature allows attackers to anonymize their traffic and pivot within victim environments, complicating incident response and forensic investigations. The use of compromised legitimate websites as infection vectors increases the risk of widespread exposure, especially to organizations that rely on these sites or have users who visit them. This campaign could disrupt business operations, lead to data exfiltration, and facilitate further malware deployment or espionage activities. The multi-stage nature and obfuscation techniques may delay detection, allowing attackers prolonged access and control. Industries with high reliance on web services and those with less mature endpoint detection capabilities are particularly vulnerable.

Organizations should implement advanced PowerShell logging and monitoring to detect suspicious multi-stage script execution chains. Deploy endpoint detection and response (EDR) solutions capable of identifying obfuscated scripts and unusual process injection behaviors. Regularly audit and harden web-facing assets to prevent compromise, including timely patching and use of web application firewalls (WAFs). Monitor network traffic for anomalous SOCKS5 proxy connections or unusual outbound communications to known malicious domains or IPs such as those identified in this campaign. Employ strict application whitelisting and restrict PowerShell execution policies to limit unauthorized script execution. Conduct threat hunting using the provided indicators of compromise (IOCs) including domains, IP addresses, and file hashes. Educate users about risks of visiting compromised legitimate websites and enforce least privilege principles to minimize token theft impact. Incident response teams should prepare to investigate token theft and lateral movement scenarios. Collaboration with threat intelligence providers to stay updated on campaign developments is also recommended.