From ClickFix to MaaS: Exposing a Modular Windows RAT and Its Admin Panel

Netskope Threat Labs documents an active ClickFix campaign delivering a modular Node.js infostealer/RAT via malicious MSI installers that bundle a Node runtime; the malware achieves persistence, decrypts a shuffled configuration to connect to a .onion gRPC C2 over Tor, loads stealing modules in-memory (avoiding disk artifacts), and is backed by a leaked admin.proto revealing a mature malware-as-a-service infrastructure focused on cryptocurrency wallet theft.