Tor-Backed ClickFix Campaign Drops Node.js RAT on Windows
Criminals are leveraging the “ClickFix” scheme, a deceptive tactic that dupes users into engaging with counterfeit CAPTCHA or verification screens. This campaign distributes a sophisticated Node.js-powered Remote Access Trojan (RAT) designed to compromise Windows systems.
Initially surfacing in early 2025, ClickFix manipulates victims into performing actions that silently install malicious software hidden within legitimate-looking setup files.
While prior operations utilized ClickFix to propagate threats like LegionLoader and LummaStealer, this latest effort reveals a significant advancement towards more adaptable, modular malware components.
Netskope Threat Labs reports on a novel ClickFix operation targeting Windows. The attack initiates when a user interacts with a fraudulent CAPTCHA page. Behind the scenes, an encoded PowerShell command executes silently without user interaction.
This command downloads a malicious MSI installer named “NodeServer-Setup-Full.msi” from a spoofed domain and installs it covertly in the background.
The installer bundles a full Node.js runtime, enabling the malware to operate on any Windows device without external dependencies. Following installation, it initiates a hidden script via conhost.exe, evading detection.
Tor-Backed ClickFix Campaign
For persistence, the malware adds itself to the Windows Registry under the Run key, guaranteeing automatic execution upon each system startup.
A CustomAction within the MSI invokes conhost.exe to launch node.exe, which then executes the malicious bootstrap script.

The threat employs a “fileless-like” architecture where core malicious elements aren’t stored on disk. Instead, they are dynamically delivered from the command-and-control (C2) server post-infection. This technique helps evade traditional antivirus tools that rely on static file detection by executing code entirely in memory using Node.js, complicating forensic investigations.
For instance, instead of embedding data-theft functionality within the malware itself, attackers distribute JavaScript modules from the server. These modules execute in a sandboxed environment on the victim’s machine, extracting data dynamically.
To obscure its activities, the malware utilizes the Tor network for C2 communication. It downloads the Tor client, establishes a local proxy, and connects using gRPC—a protocol enabling real-time, bidirectional communication.
This setup allows attackers to send commands and receive stolen data instantly while masking their infrastructure under Tor’s anonymity layer.
Upon connecting, the malware gathers detailed system information, including:
- OS version, hardware specifications, and hostname.
- External IP address and geographic location.
- Installed security tools (checks over 30 antivirus products).
This profiling enables attackers to evaluate a target’s value before deploying additional payloads like credential stealers or cryptocurrency wallet extractors.
OPSEC Failure Exposes MaaS Backend
In an uncommon lapse, researchers discovered an operational security failure by the attackers. This mistake exposed internal protocol files used by the malware’s backend system.
The leaked data revealed a comprehensive malware-as-a-service (MaaS) platform featuring tools such as:
- Multi-operator dashboards.
- Cryptocurrency wallet tracking.
- Remote command execution.
- Telegram alerts for new infections.
- Automated attack rules.
This confirms the campaign is operated not by a single entity but as part of a larger cybercriminal ecosystem offering tools to multiple affiliates.
This campaign underscores a broader shift toward modular, in-memory malware that leaves no disk traces. By combining social engineering, Tor-based communication, and dynamic payload delivery, attackers are significantly increasing the difficulty of detection and analysis.
Netskope researchers emphasize that ClickFix-based attacks are continuing to evolve and remain a significant threat vector for Windows users, particularly those susceptible to fake CAPTCHA scams.