New ClickFix Campaign Unveiled: Modular NodeJS Malware Targets Windows Users

Netskope Threat Labs has uncovered a sophisticated new ClickFix campaign targeting Windows users with a high-quality, custom-built infostealer. This campaign represents a significant shift in the threat landscape, moving toward “binary-less” execution and highly adaptable remote access capabilities.

The attack begins when a user interacts with a fake CAPTCHA, triggering a background PowerShell command. This command silently downloads and installs a malicious MSI package, NodeServer-Setup-Full.msi, into the user’s local app data folder without any visible prompts.

To ensure the malware runs on any system, the installer “bundles a complete Node.js runtime and all required dependencies,” making it entirely self-contained. Once staged, the malware registers itself in the Windows Registry to “ensure that the payload is automatically triggered every time the user logs into the system”.

What sets this malware apart is its modular architecture. To minimize its forensic footprint, the “core stealing modules and communication protocols are never stored on the victim’s disk”. Instead, the C2 server sends JavaScript code as strings, which are then “delivered in-memory only after a successful C2 connection is established”.

The malware executes this code within a Node.js VM sandbox, allowing the attackers to “send arbitrary JavaScript to manipulate the file system, interact with network resources, or harvest credentials”.

For its Command-and-Control (C2) operations, the malware uses a sophisticated mechanism that routes bidirectional gRPC streaming traffic over the Tor network.

• Stealth: It downloads the Tor Expert Bundle to create a SOCKS5 proxy on the local machine.
• Speed: The use of gRPC “enables bidirectional streaming communication,” allowing the server to push commands in real time while the victim streams results back.
• Fingerprinting: Before deployment, the malware scans for 30+ antivirus products, including Windows Defender, CrowdStrike, and Kaspersky, to “assess the victim’s value and security posture”.

In a massive Operational Security (OPSEC) failure, the threat actors accidentally included a file named admin.proto in an update package sent to infected machines. This leaked file provided researchers with a rare, detailed look at the attacker’s management interface and backend logic.

The findings confirm a mature Malware-as-a-Service (MaaS) operation:

• Multi-Operator Support: The backend manages multiple “operators” with role-based access control and specific campaign tags.
• Cryptocurrency Focus: The infrastructure includes “built-in wallet tracking and external balance checking features,” showing the service is explicitly designed for cryptocurrency theft.
• Automation: Real-time notifications are sent via a Telegram bot whenever a new victim is infected.

This campaign demonstrates that the ClickFix delivery vector is evolving to support versatile remote execution engines. By combining “binary-less” execution with Tor-masked communications, these actors have built a resilient infrastructure capable of evading traditional static signatures and providing full Remote Access Trojan (RAT) functionality.