TLP:GREEN | SL-ADV-2026-WP-001 UNIFIED March 20 – May 19, 2026 ClickFix/TDS cluster active since March 2026. Compromised WordPress sites inject an obfuscated JS loader that fires a synchronous XHR to a TDS C2 (ntdnewtds.shop / dnsnewtds.shop / sdntds.shop), fetches a remote payload, and executes it inline. Victims see a fake Cloudflare CAPTCHA (Shadow DOM, 50-language localized) that silently writes a PowerShell command to clipboard. PS chain: IRM stage1 → IWR stage2 → csc.exe compiles Rozena DLL → svchost injection → DonutLoader C2 (158.94.208.104) → browser/Firefox/crypto wallet credential theft → self-delete. Parallel Python chain (Protected.py) uses direct NT syscalls for EDR bypass. Per-campaign C2 IPs, segmented DonutLoader payloads (my_ / student_), and a 6-domain TDS pool suggest a ClickFix-as-a-Service affiliate platform. 4 JS variants documented March–May 2026. SecureLeaf · Dispensight Security Research · SL-ADV-2026-WP-001 rev. 3.0 STIX 2.1 · 438 objects · 4 variants · 2 execution chains