MIMICRAT: ClickFix Campaign Delivers Custom RAT via Compromised Legitimate Websites

Elastic Security Labs documents an active, multi-stage ClickFix campaign that compromises legitimate websites to deliver a five-stage infection chain culminating in a bespoke native C++ remote access trojan named MIMICRAT; the report details delivery via clipboard PowerShell lures, ETW and AMSI bypasses, a Lua in-memory loader and shellcode stage, extensive post-exploitation capabilities (token theft, SOCKS5 tunneling, 22 command dispatch), and associated IOCs and infrastructure including CloudFront C2 relays and multiple IPs/domains.