ClickFix Campaign Deploys MIMICRAT Through Compromised BIN Sites

Elastic Security Labs has disclosed details of a new ClickFix campaign delivering a previously undocumented remote access trojan dubbed MIMICRAT through compromised legitimate websites. The attack chain begins with bincheck.io, a Bank Identification Number validation service that attackers breached to inject malicious JavaScript.

Researchers first identified the campaign in early February 2026 through endpoint telemetry flagging suspicious PowerShell execution with obfuscated command-line arguments. The final MIMICRAT payload, compiled on January 29, 2026, demonstrates sophisticated post-exploitation capabilities including Windows token impersonation and SOCKS5 tunneling.

The ClickFix Social Engineering Trap

ClickFix attacks have evolved significantly since we first covered the technique in Microsoft's DNS-based disclosure earlier this month. This campaign takes a different approach: rather than using malvertising or fake software updates, attackers compromised a legitimate financial services tool that developers and payment processors actively use.

When victims visit the compromised bincheck.io, injected JavaScript loads an externally hosted PHP script that renders a fake Cloudflare verification page. The lure instructs users to copy and paste a command into the Windows Run dialog—a signature ClickFix technique that bypasses browser-based protections by tricking users into executing commands themselves.

According to Elastic's research, the pasted command triggers PowerShell execution that:

1. Contacts a command-and-control server to fetch a second-stage script
2. Patches Windows Event Tracing (ETW) to prevent logging
3. Disables AMSI scanning to evade antivirus detection
4. Drops a Lua-based loader that decrypts MIMICRAT shellcode

The multi-stage chain makes detection challenging. By the time MIMICRAT executes in memory, the attack has already neutralized two major visibility sources.

MIMICRAT's Capabilities

MIMICRAT is a custom C++ RAT supporting 22 distinct commands for comprehensive post-exploitation operations:

• Token impersonation to escalate privileges and move laterally
• SOCKS5 tunneling for proxying traffic through infected hosts
• File operations including upload, download, rename, and delete
• System reconnaissance gathering device information and running processes
• Directory enumeration for mapping file systems
• Folder creation for staging payloads and exfiltration

The RAT's architecture mimics legitimate command-and-control frameworks, which may explain the "MIMIC" naming. This design choice complicates attribution and blends malicious traffic with legitimate penetration testing tools that defenders might allowlist.

Victims Span Multiple Industries

Elastic's telemetry identified victims including a USA-based university and users in Chinese-speaking regions. The geographic spread suggests opportunistic targeting rather than a focused campaign against specific sectors.

The suspected end goal? Ransomware deployment or data exfiltration. Initial access through financial service tools positions attackers well for both—they gain footholds in organizations with payment processing operations and sensitive transaction data.

This pattern aligns with broader trends we've tracked across ClickFix variants targeting enterprise environments. The social engineering component continues evolving, but the core technique remains effective: convince users to execute commands themselves, bypassing security controls that block automated exploitation.

Detection and Mitigation

Organizations should implement several defensive measures:

1. Block PowerShell execution from Run dialog via AppLocker or WDAC policies
2. Monitor for ETW and AMSI tampering as early-stage indicators
3. Alert on Lua interpreter execution in unexpected contexts
4. Inspect outbound SOCKS5 traffic for unauthorized tunneling
5. Educate users about verification lures demanding command execution

The bincheck.io compromise highlights supply chain risks in web-based developer tools. Even trusted services can become attack vectors when compromised. Consider implementing browser isolation for financial and developer tools accessed through web interfaces.

Why This Matters

ClickFix represents a troubling evolution in social engineering. Traditional phishing requires victims to click links or open attachments—actions security training emphasizes avoiding. ClickFix reframes the interaction: victims believe they're completing legitimate verification steps, not executing malicious commands.

The technique's success rate appears high enough that threat actors continue investing in new variants and delivery mechanisms. Security teams should update awareness training to cover "verification" lures that demand command execution or clipboard operations.

For organizations wanting to understand the broader social engineering threat landscape, our social engineering guide covers manipulation techniques attackers use to bypass technical controls by exploiting human trust.