Meta News

Through the Lens of MDR: Analysis of KongTuke’s ClickFix Abuse of Compromised WordPress Sites

Summary: Trend Micro Research analyzes an ongoing attack by the KongTuke threat group that uses compromised WordPress sites and fake CAPTCHA lures to deliver modeloRAT malware.

Through the Lens of MDR: Analysis of KongTuke’s ClickFix Abuse of Compromised WordPress Sites
Our analysis of an active campaign by the KongTuke threat group deploying modeloRAT — a malware capable of reconnaissance, command execution, and persistent access — through compromised WordPress sites and fake CAPTCHA lures shows that the group still operates this delivery chain in parallel with the newer CrashFix technique. The attackers inject malicious JavaScript into legitimate WordPress websites, prompting users to run a PowerShell command that triggers a multistage infection process.
Organizations whose users browse compromised websites or encounter prompts asking them to run commands could be at risk. The malware specifically checks whether a system is part of a corporate domain and identifies installed security tools before continuing, suggesting a focus on enterprise environments rather than opportunistic infections.

Key facts

  • The KongTuke threat group uses compromised WordPress sites to deliver modeloRAT malware.
  • The ClickFix technique involves injecting malicious JavaScript that triggers a multistage infection process via PowerShell commands.
  • The malware checks if the system is part of a corporate domain and identifies security tools before proceeding, indicating a focus on enterprise environments.
  • MDR analysis confirmed ongoing attacks linked to KongTuke using both ClickFix and CrashFix techniques.

Why it matters

The continued use of these techniques by the KongTuke group poses significant risks for businesses as they target legitimate websites to deliver malware. This highlights the importance of maintaining strong cybersecurity practices and constant monitoring to prevent such threats.

X profile@trendaisecurityhttps://x.com/trendaisecurity
Embedded content for: Through the Lens of MDR: Analysis of KongTuke’s ClickFix Abuse of Compromised WordPress Sites
Tags:
cybersecurity KongTuke modeloRAT WordPress malware

Structured details

  • Location: global
  • Industry: cybersecurity
  • Source type: media
  • Claim status: confirmed
  • Verification: claimed_by_source
  • Entities: KongTuke, modeloRAT, CrashFix, PowerShell, fake CAPTCHA lures, WordPress, managed detection and response (MDR)

Source: https://www.trendmicro.com/en_us/research/26/c/kongtuke-clickfix-abuse-of-compromised-wordpress-sites.html

Published on