Cyber Attackers Deploy AsyncRAT via Clickfix Technique Through Fake Verification Prompt

In a recent and highly sophisticated cyberattack campaign, threat actors have executed a stealthy and persistent attack leveraging the notorious AsyncRAT malware.

The campaign employs explicitly a “Clickfix”-style intrusion technique, targeting German-speaking users through a cleverly disguised fake verification prompt.

Security researchers have provided a detailed breakdown of the attack chain, revealing advanced obfuscation and evasion tactics that exploit legitimate Windows tools and in-memory payloads.

Cyber Kill Chain

‍Fake Verification and Weaponized PowerShell

The operation begins when victims encounter a fraudulent “verification” webpage ostensibly to prove they are not robots.

Upon clicking “I’m not a robot,” users are instructed to execute a command copied to their clipboard.

This command, specifically worded in German with the prompt “Drücke enter um deine Identität zu bestätigen!” (Press enter to confirm your identity!), strategically targets German-speaking individuals.

The copied command launches a PowerShell script under stealth with the help of conhost.exe a legitimate Windows utility using arguments such as -w hidden (to hide the window), -nop (no PowerShell profile), and -c (to execute the following command).

This script retrieves a malicious payload from a remote server, decodes it, and executes it, all without dropping files to disk a hallmark of “fileless” malware.

Technical Deep Dive: Obfuscation, Persistence, and Remote Control

The attack’s technical sophistication is evident in the use of multiple layers of obfuscation.

After downloading and decoding the payload, the script establishes persistence by creating a RunOnce key and a Windows registry key under HKEY_CURRENT_USER (HKCU). This ensures the malware survives reboots and logons.

The payload itself is heavily obfuscated: it assembles fragmented and reversed Base64-encoded strings, which are decoded at runtime to reveal the IP address of the command-and-control (C2) server: namoet[.]de:4444.

Using in-memory .NET code loaded via PowerShell’s Add-Type, the malware establishes a persistent TCP connection to this C2 server.

This enables attackers to remotely execute commands, manage processes, and exfiltrate data directly from memory, leaving minimal forensic traces.

Indicators of Compromise (IOCs) include multiple IP addresses (predominantly in the 109.250.xxx.xxx range), the namoet[.]de domain, and specific registry keys used for persistence.

The campaign has been active at least since April 2025, according to infrastructure analysis.

Mitigation and Detection Strategies

Organizations and individuals are urged to implement robust defenses to counter similar attacks. Experts recommend:

• Blocking suspicious PowerShell executions initiated by conhost.exe using Endpoint Detection and Response (EDR) solutions or AppLocker.
• Monitoring registry changes to high-risk keys such as HKCU\RunOnce and Windows\win.
• Scanning memory for in-memory payloads and obfuscated .NET code using YARA rules, as provided by security researchers.
• Enforcing PowerShell Constrained Language Mode and enabling script logging to detect and block obfuscated code.

This campaign highlights the growing trend of using fileless malware and abusing trusted system tools to circumvent traditional security controls.

The use of localized social engineering, further reinforced by linguistic targeting, highlights the importance of user awareness and layered security measures in defending against advanced cyber threats.

IOCs