New ClickFix Attack Uses Node.js Malware via Tor to Steal Crypto

Summary

Netskope Threat Labs uncovered a professional Malware-as-a-Service (MaaS) operation called ClickFix that tricks Windows users via fake CAPTCHA prompts into downloading a Node.js-based Remote Access Trojan (RAT). The malware uses Tor for C2 communication, stays hidden in memory, and targets cryptocurrency wallets by checking for 30+ security products before executing theft operations. Researchers discovered the attackers' exposed admin panel, revealing the use of gRPC protocol for real-time wallet tracking and Telegram-based alerts to affiliate scammers.

Full text

Security Malware Scams and FraudNew ClickFix Attack Uses Node.js Malware via Tor to Steal Crypto Netskope Threat Labs report a new ClickFix attack using fake CAPTCHAs to deploy Tor-backed NodeJS malware and drain crypto wallets on Windows. byDeeba AhmedApril 8, 20262 minute read We’ve all done it- clicked a box to prove we’re not a robot without thinking twice. But according to the latest research from Netskope Threat Labs, that split-second habit is exactly what scammers are banking on. This operation, known as a ClickFix attack campaign, has been spreading rapidly since early 2025. While ClickFix refers to the deceptive technique used to trick you, this campaign is a professional setup specifically designed to drain cryptocurrency from Windows users. How the Trap is Set It starts with a fake CAPTCHA. When you click, you aren’t verifying anything; instead, a hidden PowerShell command triggers in the background. It happens so fast that most victims have no idea their machine just reached out to cloud-verificatecom to grab a file called NodeServer-Setup-Full.msi. This isn’t just a simple virus; it’s a Remote Access Trojan (RAT). It works so well because it includes its own Node.js runtime, a built-in engine that lets the malware run on any Windows PC without needing other software. To stay hidden, it immediately uses the Tor network to mask its traffic, installs itself into a folder called LogicOptimizer, and digs into the Windows Registry to ensure it launches every time you turn on your computer. A Ghost in the Memory What’s really worrying is how this software hides. Built on a NodeJS framework, it is modular, which means the most dangerous parts of the code never actually touch your hard drive because attackers steal modules dynamically from their server only when they are ready to strike. These stay in the computer’s temporary memory, making them nearly invisible to standard scans. Before it starts stealing, the malware performs a ‘fingerprint’ check to scan your system. It checks your Windows version, CPU type, and available RAM. It even looks for over 30 security products, including Windows Defender, Kaspersky, Norton, and McAfee. If the computer looks too well-protected, the malware stays quiet to avoid detection. “This architecture confirms the malware is both an infostealer and a RAT, the C2 capabilities documented in support.proto can execute arbitrary code, manipulate files, and run system commands,” the blog post reads. Screenshot via Netskope Threat Lab The Crime Factory Exposed Researchers noted that this isn’t the work of a lone hacker but a Malware-as-a-Service (MaaS) operation, which is a professional business in which scammers rent a toolkit to launch their own attacks. The Netskope team caught a massive break when the attackers made an OPSEC failure, leaving their admin panel exposed. Recovered files like support.proto and admin.proto provided researchers with a structural map of the backend, revealing that the hackers use a protocol called gRPC to communicate with the infected computer in real-time. This allows the affiliate groups, the individual scammers who rent this technology, to use Tor-based communication to instantly track cryptocurrency wallets and send success alerts to their own Telegram channels. Nevertheless, these scammers are professional and experts at staying anonymous. Therefore, as a precautionary measure, if a verification box feels even slightly off, close the tab to protect your crypto wallet. Deeba Ahmed Deeba is a veteran cybersecurity reporter at Hackread.com with over a decade of experience covering cybercrime, vulnerabilities, and security events. Her expertise and in-depth analysis make her a key contributor to the platform’s trusted coverage. View Posts ClickFixCryptoCyber AttackCybersecurityMalwareNode.jsRATTorWindows Leave a Reply Cancel reply View Comments (0) Related Posts Security iPhone Technology A $500 Device can Crack iPhone 6 and 7 Passcodes within Minutes If you remember the FBI paid millions of dollars to Israeli firm Cellebrite to unlock San Bernardino gunman’s iPhone. Now,… byUzair Amir Hacking News Security Password manager “OneLogin” hacked; data stolen OneLogin, Inc., the developers of single sign-on and identity management for cloud-based applications has announced that its servers… byWaqas Security Cloudflare’s recent 502 Bad Gateway outage blamed on bad software (Updated) If you are visiting a website and it is displaying “502 Bad Gateway” error it is not your… byWaqas Hacking News Leaks Security HBO Hacked – Upcoming Game of Thrones Episodes and Data Leaked If you are a fan of Game of Thrones here is a shocking news for you – Home… byCarolina

Indicators of Compromise

• malware — NodeServer-Setup-Full.msi
• malware — LogicOptimizer
• malware — ClickFix

Entities