Node.js Malware Delivered via Fake CAPTCHAs Drains Crypto Wallets in ClickFix Attack
What Happened – Netskope Threat Labs uncovered a new “ClickFix” campaign that serves malicious Node.js payloads through fake CAPTCHA challenges. The payload routes traffic through Tor, installs a Windows‑compatible miner, and silently siphons cryptocurrency from compromised wallets.
Why It Matters for TPRM –
- Attack leverages a common web‑interaction (CAPTCHA) to compromise third‑party users, expanding the attack surface of any organization that embeds external CAPTCHA services.
- The use of Tor obscures command‑and‑control, making detection and attribution difficult for downstream vendors.
- Crypto‑theft malware can lead to financial loss and reputational damage for partners handling digital assets.
Who Is Affected – Financial services (crypto exchanges, wallet providers), SaaS platforms that embed third‑party CAPTCHA widgets, and any enterprise with Windows endpoints handling crypto transactions.
Recommended Actions –
- Review any third‑party CAPTCHA or anti‑bot services for security hygiene and supply‑chain risk.
- Enforce strict endpoint protection on Windows machines, including behavior‑based detection for Node.js binaries.
- Monitor network traffic for Tor connections from corporate assets and implement egress filtering.
Technical Notes – The attack vector is a phishing‑style fake CAPTCHA that triggers a download of a Node.js script packaged as a legitimate web component. The malware establishes a Tor tunnel to hide C2, then executes a cryptominer that drains wallets via exposed private keys or compromised wallet software. No specific CVE is cited; the technique exploits trust in UI elements rather than a software flaw. Source: HackRead