A new sophisticated cyber threat is emerging, targeting Windows users with a deceptive social engineering tactic dubbed “ClickFix.” This method lures victims into executing malicious code via a fake browser verification page, ultimately leading to the installation of a powerful Node.js-based Remote Access Trojan (RAT). This RAT leverages the anonymity of the Tor network for its command and control (C2) communications, making it exceptionally difficult for security professionals to trace or disrupt the attackers’ infrastructure. The ClickFix technique itself first gained prominence in early 2025, previously used to distribute malware like LegionLoader and LummaStealer.
The attack chain begins with a deceptive encounter, typically a fake CAPTCHA or identity verification page, prompting the user to manually copy and paste a command into their system’s command line. In this latest manifestation, the executed command deploys a base64-encoded PowerShell script. This script silently downloads and installs a malicious file, identified as NodeServer-Setup-Full.msi, from a compromised domain without any visible user prompts. Researchers at Netskope Threat Labs have been tracking this evolving campaign, highlighting its more advanced and integrated design compared to earlier ClickFix operations.
The core of this threat is its modular Node.js framework. This architectural choice allows the RAT to operate with a significant portion of its dangerous capabilities residing solely in memory. These modules are delivered only after a successful connection to the C2 server is established, effectively allowing the malware to bypass many traditional security scans that rely on detecting malicious files on disk.
A particularly concerning aspect of this campaign is the underlying Malware-as-a-Service (MaaS) platform. This infrastructure appears to be designed for multiple threat actors to access and deploy against their own targets. An operational security misstep by the attackers inadvertently exposed the server-side administration panel, revealing features for managing cryptocurrency wallets, controlling access for different operators, pushing custom modules to infected machines, and receiving real-time Telegram alerts upon new victim connections.
Before launching any targeted attacks, the malware meticulously profiles each compromised machine. It collects detailed information including the operating system version, hardware specifications, geographic location, external IP address, and a comprehensive list of active security software. This information is crucial for the attackers to assess the value of a victim and tailor their subsequent actions. The malware specifically checks for the presence of over 30 different antivirus and endpoint security products, including well-known solutions like CrowdStrike, Kaspersky, SentinelOne, and Windows Defender.
How the Node.js RAT Infection Persists and Communicates
Once the malicious MSI installer is executed, the malware extracts its components into the %LOCALAPPDATA%LogicOptimizer directory. To ensure persistence, it establishes an entry in the Windows Registry’s Run key, guaranteeing that it automatically launches every time a user logs into their system. The malware employs the conhost.exe process in a headless mode to silently execute Node.js, ensuring the entire operation remains hidden from the user and avoiding any taskbar notifications or pop-up windows that could raise suspicion.
Prior to establishing communication with its C2 server, the malware initiates a multi-stage decryption process. It uses a combination of AES-256-CBC and XOR encryption methods to fully unlock its configuration data. Notably, the encryption keys are dynamically reshuffled with each execution, making static analysis and reverse-engineering of the configuration data by security researchers significantly more challenging. Upon successful decryption, the configuration data reveals a .onion address—a Tor hidden service—as the designated destination for the C2 server.
To connect to this hidden service, the malware downloads the Tor Expert Bundle directly from the official Tor Project website. It then creates a SOCKS5 proxy on the local machine. Communication with the C2 server is facilitated through gRPC, a high-performance streaming protocol that enables real-time, bidirectional interaction between the infected machine and the remote operator. All commands and data exfiltration modules are transmitted as JavaScript strings originating from the server. These are subsequently executed within a Node.js sandbox environment entirely in memory, meaning they are never written to the hard drive. A built-in watchdog process actively monitors the connection, automatically re-establishing it if it is interrupted.
Given the nature of this threat, security teams are advised to closely monitor endpoints for any unexpected Node.js or conhost.exe processes. Unusual Tor network traffic patterns and the appearance of new entries in the Windows Registry Run keys should also be flagged for investigation. Organizations should consider blocking outbound connections to .onion domains and flagging any silently downloaded MSI files initiated via PowerShell. Continuous user awareness training remains a critical defense layer, as ClickFix attacks fundamentally rely on tricking individuals into executing commands they do not fully understand.