Mocha Manakin Using Paste and Run Technique to Trick Users Into Downloading Malicious Payloads

A sophisticated new threat actor known as Mocha Manakin has emerged in the cybersecurity landscape, employing an increasingly popular social engineering technique called “paste and run” to deceive users into executing malicious scripts on their systems.

This deceptive method has gained significant traction among cybercriminals due to its effectiveness in bypassing traditional security measures and exploiting human psychology rather than technical vulnerabilities.

The paste and run technique, also referred to as Clickfix or fakeCAPTCHA, presents users with seemingly legitimate verification prompts that trick them into believing they need to complete certain steps to access documents, websites, or software installations.

The attack typically involves fake “Fix” or “Verify” buttons that covertly copy obfuscated PowerShell commands to the user’s clipboard, followed by instructions that guide victims through executing these malicious commands.

Red Canary analysts first identified Mocha Manakin activity in January 2025, distinguishing it from other paste and run campaigns through its deployment of a custom NodeJS-based backdoor dubbed NodeInitRAT.

The threat actor has demonstrated persistence and evolution in their tactics, with researchers observing multiple iterations of their attack commands throughout 2025.

What sets Mocha Manakin apart from similar threats is the sophistication of their final payload and the potential for escalation to ransomware attacks.

Red Canary researchers have identified overlaps between Mocha Manakin activity and Interlock ransomware operations, suggesting that successful infections may ultimately lead to more destructive outcomes.

While direct progression to ransomware has not yet been observed, security experts assess with moderate confidence that unmitigated Mocha Manakin activity will likely result in ransomware deployment.

NodeInitRAT: A Custom Backdoor with Advanced Capabilities

The NodeInitRAT payload represents a particularly concerning aspect of Mocha Manakin’s operations, demonstrating advanced persistent threat capabilities through a legitimate NodeJS runtime.

When successfully executed, the initial PowerShell command downloads a ZIP archive containing a legitimate portable node.exe binary and the malicious NodeInitRAT code, which is then executed by passing the backdoor contents directly through the command line.

The backdoor establishes persistence through Windows Registry run keys, typically named “ChromeUpdater,” ensuring continued access to compromised systems.

NodeInitRAT communications occur over HTTP through Cloudflare tunnels, making detection and blocking more challenging for network security tools.

The malware employs XOR encoding and GZIP compression to minimize data transfer and evade cursory inspection while performing reconnaissance activities including domain enumeration and privilege escalation attempts.

Are you from SOC/DFIR Teams! - Interact with malware in the sandbox and find related IOCs. - Request 14-day free trial