Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
Alibaba Bans Internal Use of Claude AI Over Backdoor Concerns
July 3, 2026
Apache ActiveMQ Critical Vulnerabilities Allow DoS Attacks, System Crashes
July 3, 2026
Scammers Impersonate Brands in Gambling Ads to Drive Casino Traffic
July 3, 2026
Home/Threats/ClickFix Lure Drops Node.js RAT, Tor C2 on Windows Users
Threats

ClickFix Lure Drops Node.js RAT, Tor C2 on Windows Users

Key Takeaways A new social engineering campaign, dubbed ClickFix, is deploying a sophisticated Node.js-based Remote Access Trojan (RAT) on Windows systems. The malware establishes a covert...

Sarah simpson
Sarah simpson
April 7, 2026 4 Min Read
33 0

Key Takeaways

  • A new social engineering campaign, dubbed ClickFix, is deploying a sophisticated Node.js-based Remote Access Trojan (RAT) on Windows systems.
  • The malware establishes a covert communication channel via the Tor network, making C2 infrastructure difficult to trace.
  • This iteration of ClickFix leverages a modular, memory-resident RAT architecture, enhancing its stealth and evasion capabilities.
  • The threat actors operate a Malware-as-a-Service (MaaS) platform, accidentally exposing an administrative panel that revealed extensive operational features.

Windows users are currently facing a new wave of cyberattacks employing a Node.js-based Remote Access Trojan (RAT), distributed through a social engineering tactic known as ClickFix. Attackers manipulate victims with a deceptive browser verification page, compelling them to execute a concealed command that surreptitiously installs the RAT onto their systems.

Table Of Content

  • Key Takeaways
  • Evolution of the ClickFix Campaign
  • Advanced Modular RAT Architecture
  • How the Infection Persists and Communicates
  • What You Should Do

Once established, the malware communicates with its operators via the Tor network. This obfuscation masks traffic, rendering the attacker’s command-and-control (C2) infrastructure extremely challenging to trace or dismantle, as detailed by Netskope Threat Labs.

Evolution of the ClickFix Campaign

The ClickFix delivery method first gained prominence in early 2025. At that time, threat actors utilized it to distribute established malware families such as LegionLoader and LummaStealer to compromise machines.

The technique involves presenting a fabricated CAPTCHA or identity verification page. Users are then instructed to manually copy and execute a command from their clipboard.

In the most recent campaign, this command initiates a base64-encoded PowerShell script. This script downloads a malicious installer file, named NodeServer-Setup-Full.msi, from a fraudulent domain and proceeds to install it silently in the background, without any visible user prompts.

Researchers at Netskope Threat Labs have extensively monitored this campaign. They highlight that its overall design exhibits a significantly higher level of sophistication compared to previous ClickFix operations.

Advanced Modular RAT Architecture

The RAT itself is constructed upon a modular Node.js framework. This design means that its most potent functionalities are never persistently stored on the victim’s hard drive. Instead, these capabilities are delivered entirely in memory, only after the malware successfully establishes a connection to its C2 server. This approach significantly enhances its ability to bypass conventional security scans.

A particularly concerning aspect of this campaign is the robust criminal infrastructure supporting it. The attackers have developed a Malware-as-a-Service (MaaS) platform, enabling multiple operators to access and deploy the RAT against their own targets.

An operational security lapse by the threat actors inadvertently exposed the server-side administrative panel. This exposure revealed features such as tracking cryptocurrency wallets, managing multiple operators with role-based access controls, pushing custom modules to infected machines, and sending real-time Telegram alerts upon new victim connections.

Furthermore, the malware meticulously profiles each compromised machine. It gathers details including the operating system version, hardware specifications, geographic location, external IP address, and a comprehensive list of active security tools. This fingerprinting process aids operators in determining which victims warrant further exploitation.

The malware actively scans for over 30 antivirus and endpoint security products, including prominent solutions like CrowdStrike, Kaspersky, SentinelOne, and Windows Defender.

How the Infection Persists and Communicates

Upon execution of the MSI installer, the malware extracts its components into the %LOCALAPPDATA%LogicOptimizer folder. It then establishes a persistence mechanism by registering an entry under the Windows Registry Run key, ensuring automatic startup with each user login.

The malware leverages conhost.exe in headless mode to discreetly launch Node.js, rendering the entire process invisible to the user. This method prevents the appearance of taskbar or window alerts that might raise suspicion and expose the infection.

Before initiating communication with its C2 server, the malware undergoes several layers of decryption, utilizing AES-256-CBC and XOR methods to fully reveal its configuration data. The encryption keys are dynamically reshuffled with every execution, effectively thwarting static analysis attempts by reverse engineers. Once decrypted, the configuration uncovers a .onion Tor hidden service address designated as the C2 server.

To establish this connection, the malware downloads the Tor Expert Bundle directly from the official Tor Project website and creates a SOCKS5 proxy on the local machine. It then connects using gRPC, a streaming protocol facilitating real-time, bidirectional communication between the compromised system and the C2 operator.

All theft modules and commands are transmitted from the server as JavaScript strings, executed within a Node.js sandbox in memory, and are never written to disk. A built-in watchdog process continuously monitors the connection, automatically restarting it if it drops.

What You Should Do

  • Monitor endpoints for unusual Node.js or conhost.exe processes running in unexpected contexts.
  • Inspect network traffic for any anomalous Tor connections or outbound communications to .onion domains.
  • Regularly review Windows Registry Run keys for new or suspicious entries that establish persistence.
  • Configure firewalls and network proxies to block outbound connections to known .onion domains.
  • Implement security policies to flag or block MSI files silently downloaded via PowerShell scripts.
  • Conduct regular user awareness training to educate employees about social engineering tactics, particularly those involving deceptive browser verification pages and instructions to run unfamiliar commands.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackHackerMalwareSecurityThreat

Share Article

Sarah simpson

Sarah simpson

Sarah is a cybersecurity journalist specializing in threat intelligence and malware analysis. With over 8 years of experience covering APT groups, zero-day exploits, and advanced persistent threats, Sarah brings deep technical expertise to breaking cybersecurity news. Previously, she worked as a security researcher at leading threat intelligence firms, where she analyzed malware samples and tracked cybercriminal operations. Sarah holds a Master's degree in Computer Science with a focus on cybersecurity and is a regular contributor to major security conferences.

Previous Post

Russian Hackers Exploit Routers in Massive DNS Hijacking Attack

Next Post

Critical Next.js React2Shell flaw exploited to steal credentials from 766 hosts

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
PureLog Stealer Uses Blogspot and PowerShell to Deliver Malware
July 3, 2026
FBI Warns TeamPCP Hackers Exploit Developer Tools in Supply Chain Attacks
July 3, 2026
SharkLoader Malware Uses Fake Cisco AnyConnect, Google Updates
July 3, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us