When Trust Becomes the Weapon: Inside the ClickFix/MIMICRAT Campaign

Elastic Security Labs describes an active, highly sophisticated ClickFix-driven campaign (MIMICRAT) that compromises legitimate websites to trick users into pasting and executing obfuscated PowerShell commands, leading to a five-stage infection chain that disables ETW/AMSI, drops an XOR-decrypted Lua loader (zbuild.exe) and reflectively loads in-memory Meterpreter-style shellcode before deploying a custom C++ RAT (MIMICRAT) with encrypted HTTPS C2 via CloudFront and broad post-exploitation capabilities; the report includes IOCs, a YARA rule, MITRE ATT&CK mapping, and mitigation recommendations.