Fileless AsyncRAT Distributed Via Clickfix Technique Targeting German Speaking Users
NetmanageIT OpenCTI - opencti.netmanageit.com

SUMMARY :
A fileless AsyncRAT campaign is targeting German-speaking users through Clickfix-themed websites. The attack uses a fake 'I'm not a robot' prompt to execute malicious PowerShell code, which downloads and runs obfuscated C# code in memory. This technique enables full remote access, credential theft, and data exfiltration without leaving traces on the disk. The malware establishes persistence via registry keys and communicates with a command and control server on port 4444. The campaign has been active since at least April 2025, primarily affecting German-speaking regions. Mitigation strategies include blocking suspicious PowerShell activity, monitoring registry changes, and implementing in-memory scanning for threats.
OPENCTI LABELS :
fileless,powershell,c2,obfuscation,asyncrat,in-memory execution,clickfix,german-speaking
Open in NetmanageIT OpenCTI Public Instance with below link!
Use public read only username and password on login page.
NOTE : Use Public READ only user credentials on login page banner.
Fileless AsyncRAT Distributed Via Clickfix Technique Targeting German Speaking Users