[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"focus:new-clickfix-attack-uses-node-js-malware-via-tor-to-steal-crypto-mnq4jb72":3},{"item":4},{"id":5,"title":6,"slug":7,"summary":8,"severity":9,"category":10,"cve_ids":11,"affected_products":12,"action_required":15,"article_ids":16,"ioc_summary":18,"source_urls":19,"status":21,"expires_at":22,"created_at":23,"updated_at":24,"articles":25},"27267719-8b6d-4d3e-ad50-35281297692f","New ClickFix Attack Uses Node.js Malware via Tor to Steal Crypto","new-clickfix-attack-uses-node-js-malware-via-tor-to-steal-crypto-mnq4jb72","ClickFix is a professional MaaS operation delivering Node.js-based RAT through fake CAPTCHA prompts on Windows systems. The malware uses Tor for C2, hides in memory, and targets crypto wallets after checking for 30+ security products. This is a high-volume social engineering attack with real theft operations already underway.","critical","advisory",[],[13,14],"Netskope","Windows Defender","Hunt for Node.js processes spawned from browser or download directories, Tor traffic from endpoints, and gRPC connections to unknown hosts. Block known ClickFix C2 IPs and domains. Check for suspicious legitimate tool execution (Node.js, npm, curl) used as infection chains.",[17],"20f93690-2c1e-4e41-b3d6-2bd56f3942a1",null,[20],"https:\u002F\u002Fhackread.com\u002Fclickfix-attack-node-js-malware-tor-steal-crypto\u002F","archived","2026-04-10T14:09:00.77+00:00","2026-04-08T14:09:04.203758+00:00","2026-04-10T14:09:20.855454+00:00",[26],{"id":17,"title":6,"url":20}]