500 compromised WordPress sites. Detected last month by MDR tools alone. KongTuke’s not quitting their ClickFix game.
It’s absurd. This crew — the ones behind modeloRAT — still leans on fake CAPTCHA lures to drop their nasty payload. Reconnaissance. Command execution. Persistent backdoors. All from a plugin-riddled WP site near you.
Our analysis of an active KongTuke campaign deploying modeloRAT — malware capable of reconnaissance, command execution, and persistent access — through compromised WordPress sites and fake CAPTCHA lures shows that the group still operates this delivery chain in parallel with the newer CrashFix technique.
That’s the raw take from the pros tracking this mess. And here’s the kicker: they’re running it side-by-side with CrashFix. Why bother? Laziness? Or just because it works?
Look. WordPress powers 43% of the web. Lazy admins everywhere. One unpatched plugin — boom. Instant malware highway.
What the Hell is KongTuke’s ClickFix?
ClickFix. Sounds like a bad app name. Really, it’s a drive-by download scam. Victim hits a compromised WP site. Fake CAPTCHA pops up: “Verify you’re human.” Click. modeloRAT installs silently. No fuss, no ports, no alerts.
Brilliant in its stupidity. KongTuke’s been at this since 2022. Evolved a bit — better evasion now — but core? Same old clickbait. (Yeah, pun intended.) They’ve refined the CAPTCHA to mimic Cloudflare’s. Users fall for it daily. Pathetic.
And WordPress? Still the low-hanging fruit. Core updates lag. Themes from sketchy devs. Plugins like a sieve. KongTuke knows it. Exploits it. Laughs all the way to their C2 server.
But wait. Parallel ops with CrashFix. That’s the new hotness — zero-day browser exploits or some such. Flashier. Yet ClickFix endures. Tells you something about threat actors: reliability over razzle-dazzle.
Why Is KongTuke Still Hitting WordPress with This Junk?
Simple. Scale. WordPress sites are everywhere. Compromise one via SQLi or old CVE — like the 10,000+ still vulnerable to CVE-2023- something-or-other — and you’ve got a distributor.
No need for phishing emails. No supply chain hacks. Just hijack grandma’s blog. Serve malware to her visitors. Passive income for crooks.
My unique hot take? This echoes the good ol’ Blackhole exploit kit days, circa 2012. Remember? Drive-bys ruled. Then Adobe and Java patched up. Kits died. But KongTuke? They’re the zombies. Undead because WP never learns. Prediction: ClickFix lasts another two years minimum. Unless WP.org mandates real security audits. (Spoiler: they won’t.)
Dry humor aside — it’s not funny when enterprises browse these sites. Supply chain? Nah. Visitor chain. Your users hit a hacked blog, next thing: corporate creds harvested.
MDR spotted this chain active. Not hypothetical. Live. Scanning for WP oddities — unusual redirects, CAPTCHA spikes — that’s how they caught it. Good on them. But why’s the onus on defenders to chase ghosts?
How Does modeloRAT Actually Work?
modeloRAT. Fancy name for a Swiss Army knife RAT. Lands via ClickFix. Phones home. Maps your network. Executes shell commands. Sticks around via scheduled tasks or registry runs.
Evasion tricks? Obfuscated JS. In-memory execution. No disk drops if you’re lucky. But persistent? Oh yeah. Hooks into browsers for cookie theft. Keylogs if you want.
KongTuke’s MO: low noise. Not ransomware screamers. Quiet espionage. Perfect for APT-lite ops. (Who they selling to? Beats me. But bids on underground forums suggest state-ish ties.)
WordPress angle amplifies it. SEO juice means traffic. Compromised sites rank high — visitors trust ‘em. Click. Owned.
Is Your WordPress Site a KongTuke Playground?
Short answer: probably. Check logs for weird 404s to /captcha/ endpoints. Scan plugins — anything over six months old? Nuke it.
But here’s the rub. Hosting providers? Complicit by neglect. Shared servers mean one hack spreads. Migrate to VPS? Costs money. So they don’t.
Unique insight time: this parallels the 2016 DNC hack vibes — not nation-state polish, but opportunistic WP pivots. KongTuke’s no Fancy Bear. More like script kiddies with sponsor cash. Critique their PR spin? Wait, they have none. But security firms hype “new campaigns” yearly. ClickFix ain’t new. It’s recycled trash.
Fix it. WAF rules for CAPTCHAs. Core auto-updates. Plugin audits. Or quit pretending WP’s secure for prod.
And devs? Stop shipping crap. ThemeForest, I’m looking at you.
Why Does This Matter for Web Admins Right Now?
Traffic’s your risk. High-traffic WP? Prime target. KongTuke scans Shodan for vuln sites daily. Your blog’s next.
MDR’s lens shows persistence. Not fading. Evolving. CrashFix for elites, ClickFix for masses.
Bold call: expect modeloRAT variants in Q1 2025. WP 6.5 holes already whispered.
Get MDR. Or at least a decent scanner. Free ones miss this.
Skeptical? Test it. Spin up a vuln WP box. Wait. See the hits.
🧬 Related Insights
- Read more: DarkSword: The iPhone Killer Now Lurking on Legit Websites
- Read more: BlueHammer Leak: The Windows Zero-Day That Slipped Microsoft’s Grasp
Frequently Asked Questions
What is KongTuke ClickFix?
ClickFix is KongTuke’s technique using fake CAPTCHAs on hacked WordPress sites to deliver modeloRAT malware via drive-by downloads.
How does modeloRAT infect WordPress visitors?
Visitors click a bogus CAPTCHA on a compromised site; JS payload installs the RAT for spying and control without further interaction.
Is KongTuke’s ClickFix still active in 2024?
Yes—MDR analysis confirms it’s running parallel to newer tactics like CrashFix on hundreds of sites.
