Ddos 
Red Canary has unveiled a new adversary cluster it’s been tracking since early 2025: Mocha Manakin. Named after its peculiar behavior and distinct tooling, this group has become notorious for its use of a highly deceptive “paste and run” technique to compromise user systems and deploy a custom NodeJS-based Remote Access Trojan dubbed NodeInitRAT.
Mocha Manakin exploits a growing social engineering trend where users are tricked into copying and pasting obfuscated PowerShell commands from websites or pop-ups claiming to “verify” their access or fix an issue.
There are two primary flavors of this technique:
- Fix Access: Users are prompted to “fix” their ability to open a document or install software.
- Fake CAPTCHA: Victims are asked to “prove they’re human,” leading them through bogus verification steps.
“Once the users interact with the Fix or Verify button… a PowerShell command is copied to the clipboard and the user is instructed to paste and run it,” the report explains.
This copied command reaches out to attacker infrastructure and downloads the initial payload.
Unlike commodity info-stealers, Mocha Manakin delivers a custom NodeJS RAT using a clever loader:
- The PowerShell command downloads a ZIP archive containing a legitimate node.exe binary
- It then executes NodeInitRAT by injecting malicious JS directly into the node.exe process via the command line
Once on the system, NodeInitRAT:
- Establishes persistence using a registry key disguised as “ChromeUpdater”
- Conducts reconnaissance using tools like nltest, net.exe, and arp.exe
- Communicates via Cloudflare tunnels using HTTP POST requests to endpoints like /init1234
- Uses XOR encoding and GZIP compression to obfuscate traffic and reduce visibility
“The communications occur via HTTP POST requests… commonly using Cloudflare tunnels as intermediary infrastructure.”
Red Canary notes moderate confidence that Mocha Manakin activity could evolve into full ransomware deployment. The group shares infrastructure and techniques with Interlock ransomware operators as reported by Sekoia.io:
- Shared use of paste-and-run for initial access
- Reuse of the NodeInitRAT payload
- Similar infrastructure domains (e.g., trycloudflare[.]com)
“We assess with moderate confidence that unmitigated Mocha Manakin activity will likely lead to ransomware.”
Donate