Fileless AsyncRAT Distributed Via Clickfix Technique Targeting German Speaking Users

June 16, 2025, 3:24 p.m.

Description

A fileless AsyncRAT campaign is targeting German-speaking users through Clickfix-themed websites. The attack uses a fake 'I'm not a robot' prompt to execute malicious PowerShell code, which downloads and runs obfuscated C# code in memory. This technique enables full remote access, credential theft, and data exfiltration without leaving traces on the disk. The malware establishes persistence via registry keys and communicates with a command and control server on port 4444. The campaign has been active since at least April 2025, primarily affecting German-speaking regions. Mitigation strategies include blocking suspicious PowerShell activity, monitoring registry changes, and implementing in-memory scanning for threats.

Date

  • Created: June 16, 2025, 1:03 p.m.
  • Published: June 16, 2025, 1:03 p.m.
  • Modified: June 16, 2025, 3:24 p.m.

Attack Patterns

Additional Informations

  • Germany