A threat actor known as Mocha Manakin, active since January 2025, is conducting targeted cyber operations using paste-and-run scripting techniques to deploy NodeInitRAT, a Node.js-based backdoor. The campaign focuses on achieving system persistence and reconnaissance without raising alarms. Mocha Manakin’s infrastructure and tactics suggest links to the Interlock ransomware group, though no encryption activity has been confirmed to date. The operation uses Cloudflare Tunnels for command-and-control (C2), allowing traffic to bypass conventional detection. Victims are tricked into running malicious PowerShell code, which downloads additional payloads like LummaC2. NodeInitRAT enables network mapping and supports further malware staging, posing a significant threat despite no current ransomware payloads.
Mocha Manakin, first tracked in early 2025, has emerged as a sophisticated threat actor employing a social engineering technique known as “paste-and-run” to initiate attacks. This method deceives users into copying and executing obfuscated PowerShell commands under the pretense of fixing access issues or completing a CAPTCHA verification. Upon execution, these commands typically fetch a ZIP archive via a Cloudflare Tunnel domain, containing a legitimate Node.js binary (node.exe) bundled with a malicious JavaScript payload. The script is then executed through the command line, launching the custom malware known as NodeInitRAT.
NodeInitRAT is a lightweight but capable Node.js-based remote access trojan designed to provide persistence, reconnaissance, and post-exploitation capabilities. It achieves persistence by adding itself to the Windows Registry Run key, often masquerading under names like “ChromeUpdater.” Once embedded, the RAT begins system and network reconnaissance, using built-in commands like arp -a, tasklist, nltest, and net user /domain to enumerate domain infrastructure and local host configurations. It also probes for trust relationships and collects service principal names using setspn.exe, indicating an awareness of Active Directory environments.
In terms of communication, NodeInitRAT uses HTTP to send and receive commands from attacker-controlled infrastructure. It leverages Cloudflare Tunnels (trycloudflare.com) to mask outbound traffic, routing C2 communications through seemingly legitimate web traffic, which helps bypass traditional perimeter defenses. These HTTP communications are XOR-encoded and gzip-compressed for additional obfuscation. Furthermore, the RAT can download and execute additional payloads such as EXEs, DLLs, or JavaScript files some of which are disguised with misleading file extensions like .log to evade detection. Execution of DLLs is often handled through rundll32.exe, and arbitrary command execution is achieved via cmd.exe, allowing attackers flexible control over compromised systems.
NodeInitRAT’s deployment has shown significant overlap with Interlock ransomware campaigns, sharing both infrastructure and initial access vectors. Although no active ransomware payloads have been observed in Mocha Manakin campaigns as of May 2025, analysts believe there is a high likelihood that this backdoor serves as a precursor to ransomware deployment, given the similarities in tooling and execution flow. The use of a legitimate Node.js binary, script obfuscation, encrypted communications, and evasive delivery methods make Mocha Manakin’s operations particularly challenging to detect. Organizations are encouraged to monitor for suspicious clipboard activity, unexpected PowerShell executions, unknown node.exe processes, and outbound traffic to dynamic Cloudflare Tunnel domains, as these are indicative of this emerging and potentially high-impact threat.
While encryption-based attacks have not occurred, the campaign still presents high risk due to its emphasis on stealth, internal mapping, and payload delivery. The use of trusted scripting tools like PowerShell and Node.js makes this campaign difficult to detect using traditional signature-based methods.
Organizations may face credential theft, lateral movement within networks, or eventual ransomware deployment if activities escalate. Security professionals must pay attention to registry edits linked to Node.js, unexpected outbound connections to Cloudflare Tunnels, and obfuscated PowerShell commands that could signal paste-and-run behavior.
https://redcanary.com/blog/threat-intelligence/mocha-manakin-nodejs-backdoor/
