Analysis of KongTuke’s ClickFix Abuse of Compromised WordPress Sites

Summary: Trend Micro Research analyzed an active KongTuke campaign using modeloRAT malware delivered through compromised WordPress sites and fake CAPTCHA lures, alongside the newer CrashFix technique.

Our Managed Detection and Response (MDR) findings confirm that the group continues to use this method alongside the newer CrashFix technique, which tricks users into installing a malicious browser extension to initiate infection.

The attack relies heavily on legitimate system tools and trusted services to avoid detection. By abusing components such as PowerShell, finger.exe, Dropbox-hosted files, and portable Python environments, the malware can execute commands remotely, maintain persistence, and remain active on compromised systems while leaving limited visible traces.

Key facts

The attack uses legitimate system tools to avoid detection.
Compromised WordPress sites and fake CAPTCHA lures are used as vectors.
Malware such as modeloRAT is capable of reconnaissance, command execution, and persistent access.

Why it matters

This analysis is crucial for understanding the evolving tactics of threat actors like KongTuke, which pose a significant risk to enterprise networks. It underscores the need for robust cybersecurity measures to protect against such sophisticated attacks.

Structured details

Industry: cybersecurity
Source type: media
Claim status: confirmed
Verification: claimed_by_source
Entities: KongTuke, modeloRAT, CrashFix, ClickFix, PowerShell, finger.exe, Dropbox, Python, threat group

Source: https://www.trendmicro.com/en_us/research/26/c/kongtuke-clickfix-abuse-of-compromised-wordpress-sites.html

Published on 3/10/2026, 12:00:00 AM