VERY IMPORTANT

A fileless AsyncRAT campaign is targeting German-speaking users through Clickfix-themed websites. The attack uses a fake 'I'm not a robot' prompt to execute malicious PowerShell code, which downloads and runs obfuscated C# code in memory. This technique enables full remote access, credential theft, and data exfiltration without leaving traces on the disk. The malware establishes persistence via registry keys and communicates with a command and control server on port 4444. The campaign has been active since at least April 2025, primarily affecting German-speaking regions. Mitigation strategies include blocking suspicious PowerShell activity, monitoring registry changes, and implementing in-memory scanning for threats.