Fileless AsyncRAT Distributed Via Clickfix Technique Targeting German Speaking Users

SUMMARY :

A fileless AsyncRAT campaign is targeting German-speaking users through Clickfix-themed websites. The attack uses a fake 'I'm not a robot' prompt to execute malicious PowerShell code, which downloads and runs obfuscated C# code in memory. This technique enables full remote access, credential theft, and data exfiltration without leaving traces on the disk. The malware establishes persistence via registry keys and communicates with a command and control server on port 4444. The campaign has been active since at least April 2025, primarily affecting German-speaking regions. Mitigation strategies include blocking suspicious PowerShell activity, monitoring registry changes, and implementing in-memory scanning for threats.

OPENCTI LABELS :

fileless,powershell,c2,obfuscation,asyncrat,in-memory execution,clickfix,german-speaking


Open in NetmanageIT OpenCTI Public Instance with below link!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


Fileless AsyncRAT Distributed Via Clickfix Technique Targeting German Speaking Users