Tor-Backed ClickFix Campaign Drops Node.js RAT on Windows

The resurgence of the ClickFix technique marks a notable evolution in social‑engineering attacks. By embedding a complete Node.js runtime within a silent MSI installer, threat actors bypass the need for external dependencies, making the payload instantly executable on any Windows host. This approach builds on the early‑2025 ClickFix campaigns that spread loaders and stealers, but the shift to a full‑featured remote access Trojan reflects a maturing criminal toolkit aimed at long‑term footholds rather than one‑off data grabs.

Technical evasion is at the core of this operation. The malware adopts a fileless‑like architecture: the initial installer drops only a bootstrap that pulls JavaScript modules from the command‑and‑control server, executing them directly in memory via node.exe. Persistence is achieved through a Registry Run key, while execution is masked behind conhost.exe to blend with legitimate system processes. Communication travels over the Tor network using a local proxy and gRPC, obscuring traffic patterns and thwarting network‑based detection. Such layered stealth makes conventional signature‑based defenses largely ineffective.

Beyond the immediate threat, the leaked MaaS backend signals a broader commoditization of sophisticated malware. Multi‑operator dashboards, automated attack rules, and Telegram alerts indicate an ecosystem where affiliates can launch customized campaigns with minimal technical expertise. Defenders must therefore prioritize behavioral analytics, endpoint detection and response (EDR) solutions that monitor anomalous process trees, and strict network segmentation to limit Tor traffic. Continuous user education on fake CAPTCHA scams remains essential, as the human element continues to be the weakest link in the attack chain.