SOC Prime Bias: Medium

09 Apr 2026 18:30
newspaper icon Netskope

ClickFix to MaaS: Inside a Modular Windows RAT and Its Control Panel

Author Photo
SOC Prime Team linkedin icon Follow
ClickFix to MaaS: Inside a Modular Windows RAT and Its Control Panel
shield icon

Detection stack

  • AIDR
  • Alert
  • ETL
  • Query


Summary

Netskope Threat Labs observed a ClickFix campaign delivering a custom Windows RAT built on Node.js via malicious MSI installers. The payload keeps key modules in memory and uses gRPC streaming over Tor for C2. An OPSEC mistake exposed the admin-panel protocol, pointing to a malware-as-a-service model with wallet tracking. Persistence is set via a user-level HKCU Run value.

Investigation

Researchers captured the MSI, decoded the PowerShell bootstrap, and traced dynamic loading of Node.js modules. They extracted and decrypted the configuration blob to recover a .onion C2 address. A leaked admin.proto file revealed MaaS functions such as multi-operator management and wallet monitoring, and analysts noted a self-healing watchdog plus Tor usage for anonymized traffic.

Mitigation

Block unsigned MSI execution from untrusted sources and monitor HKCU…\Run for new, suspicious entries. Detect PowerShell that downloads MSI payloads from domains like cloud-verificate.com. Alert on conhost.exe or node.exe launched with hidden arguments and on tor.exe appearing on endpoints that do not require it.

Response

Isolate affected hosts, collect memory for in-memory module analysis, and remove the HKCU Run persistence. Review %LOCALAPPDATA%\LogicOptimizer for staging artifacts and any scheduled tor.exe activity, then block the onion endpoint and related domains/IPs. Hunt enterprise-wide for the same installer artifacts and process chains.

"graph TB %% Class definitions classDef action fill:#99ccff classDef tool fill:#cccccc classDef process fill:#ccffcc %% Nodes action_user_exec["<b>Action</b> – <b>T1204.001 User Execution: Malicious Link</b><br/>Victim clicks malicious link that launches PowerShell"] class action_user_exec action process_powershell_cmd["<b>Process</b> – <b>T1059.001 PowerShell</b><br/>Base64u2011encoded command downloads MSI installer"] class process_powershell_cmd process action_msi_install["<b>Action</b> – <b>T1546.016 Installer Packages</b><br/>Silent MSI installation stages Node.js runtime"] class action_msi_install action tool_msiexec["<b>Tool</b> – <b>Name</b>: msiexec.exe<br/><b>Technique</b>: T1218.007 System Binary Proxy Execution"] class tool_msiexec tool action_persistence["<b>Action</b> – <b>T1037.001 Logon Script (Run key)</b><br/>Writes HKCU\Software\Microsoft\Windows\CurrentVersion\Run for persistence"] class action_persistence action tool_tor["<b>Tool</b> – <b>Name</b>: tor.exe<br/><b>Technique</b>: T1090.002 External Proxy"] class tool_tor tool action_tor_proxy["<b>Action</b> – <b>T1090.003 Multiu2011hop Proxy</b><br/>Routes C2 traffic through Tor SOCKS5 proxy"] class action_tor_proxy action action_grpc_comm["<b>Action</b> – <b>T1102.002 Web Service: gRPC bidirectional streaming</b><br/>Communicates with .onion C2 server"] class action_grpc_comm action action_encrypted_channel["<b>Action</b> – <b>T1573 Encrypted Channel</b><br/>Encrypts configuration and payload with AESu2011256u2011CBC or XOR"] class action_encrypted_channel action action_collection["<b>Action</b> – <b>T1592.* Victim Host Information</b><br/>Collects hardware, software, firmware, and network configuration data"] class action_collection action action_archive["<b>Action</b> – <b>T1560.003 Archive via Custom Method</b><br/>Multiu2011layer encryption with random field names"] class action_archive action action_config_repo["<b>Action</b> – <b>T1602 Data from Configuration Repository</b><br/>Decrypted config reveals C2 onion address, port, operator ID, campaign tag"] class action_config_repo action action_dynamic_resolution["<b>Action</b> – <b>T1568 Dynamic Resolution</b><br/>Resolves .onion address at runtime via Tor proxy"] class action_dynamic_resolution action action_ip_discovery["<b>Action</b> – <b>T1016.001 Internet Connection Discovery</b><br/>Obtains external IP from an online service"] class action_ip_discovery action %% Edges action_user_exec –>|triggers| process_powershell_cmd process_powershell_cmd –>|downloads| action_msi_install action_msi_install –>|uses| tool_msiexec action_msi_install –>|enables| action_persistence action_persistence –>|downloads| tool_tor tool_tor –>|enables| action_tor_proxy action_tor_proxy –>|routes| action_grpc_comm action_grpc_comm –>|encrypted via| action_encrypted_channel action_encrypted_channel –>|carries| action_collection action_collection –>|archives| action_archive action_archive –>|stores config in| action_config_repo action_config_repo –>|provides| action_dynamic_resolution action_dynamic_resolution –>|connects to| action_ip_discovery action_collection –>|discovers| action_ip_discovery "

Attack Flow

Simulation Execution

Prerequisite: The Telemetry & Baseline Pre‑flight Check must have passed.

Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic.

  • Attack Narrative & Commands:

    1. Objective: The attacker wants to bootstrap a malicious Node.js payload (bootstrap.js) without raising suspicion.
    2. Method: Use a signed Windows binary (conhost.exe) as a proxy to launch node.exe in headless mode, passing the bootstrap script as an argument.
    3. Steps:
      • Drop a malicious bootstrap.js into a writable directory (e.g., %TEMP%).
      • Invoke conhost.exe with the exact argument string that the rule watches for.
      • The command runs under the context of the current user, mimicking a legitimate process spawn.
    # 1. Drop malicious bootstrap.js (simulated harmless content for test)
$bootstrapPath = "$env:TEMPbootstrap.js"
Set-Content -Path $bootstrapPath -Value "// malicious bootstrap placeholder"

# 2. Execute conhost.exe to spawn node.exe with the required flags
$conhost = "$env:windirsystem32conhost.exe"
$args = '--headless "node.exe" "bootstrap.js"'
Start-Process -FilePath $conhost -ArgumentList $args -WorkingDirectory $env:TEMP

  • Regression Test Script:

    # -------------------------------------------------
# Regression Test: Trigger Conhost → Node Bootstrap
# -------------------------------------------------
# Ensure Sysmon is running and logging ProcessCreate events.

# Drop a dummy bootstrap script
$bootstrap = "$env:TEMPbootstrap.js"
Set-Content -Path $bootstrap -Value "// test bootstrap content"

# Define the exact command line the detection rule looks for
$conhostPath = "$env:windirsystem32conhost.exe"
$cmdLine = '--headless "node.exe" "bootstrap.js"'

# Launch conhost with the malicious‑looking arguments
Start-Process -FilePath $conhostPath -ArgumentList $cmdLine -WorkingDirectory $env:TEMP

Write-Host "Simulation completed – check SIEM for alert."

  • Cleanup Commands:

    # Stop any lingering node or conhost processes launched by the test
Get-Process -Name node, conhost -ErrorAction SilentlyContinue | Stop-Process -Force

# Remove the temporary bootstrap script
Remove-Item -Path "$env:TEMPbootstrap.js" -Force -ErrorAction SilentlyContinue

Write-Host "Cleanup finished."

Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Join for Free