New ClickFix Attack Uses Node.js Malware via Tor to Steal Crypto

ClickFix is a professional MaaS operation delivering Node.js-based RAT through fake CAPTCHA prompts on Windows systems. The malware uses Tor for C2, hides in memory, and targets crypto wallets after checking for 30+ security products. This is a high-volume social engineering attack with real theft operations already underway.

CRITICALAdvisoryApr 08, 2026

Action required

Hunt for Node.js processes spawned from browser or download directories, Tor traffic from endpoints, and gRPC connections to unknown hosts. Block known ClickFix C2 IPs and domains. Check for suspicious legitimate tool execution (Node.js, npm, curl) used as infection chains.

Affected products

NetskopeWindows Defender

Linked articles

New ClickFix Attack Uses Node.js Malware via Tor to Steal Crypto

Source links

https://hackread.com/clickfix-attack-node-js-malware-tor-steal-crypto/