Through the Lens of MDR: Analysis of KongTuke’s ClickFix Abuse of Compromised WordPress Sites

    Wednesday, March 11, 2026 In: Threat Research Print

    Date: 03/11/2026

    Severity: High

    Summary

    Security researchers uncovered ongoing attacks linked to the KongTuke threat group using compromised WordPress sites and fake CAPTCHA lures to spread the Python-based modeloRAT. Attackers inject malicious JavaScript that prompts users to run a PowerShell command, triggering a multistage infection process. The campaign continues alongside the newer CrashFix technique, which deceives users into installing a malicious browser extension. The malware abuses trusted tools like PowerShell, finger.exe, Dropbox-hosted files, and portable Python to evade detection and maintain persistence. It specifically checks for corporate domains and security tools, indicating a focus on targeting enterprise environments rather than random users.

    Indicators of Compromise (IOC) List

    IP Address : 

    http://45.61.138.224

    http://158.247.252.178/beacon/024a143b

    http://170.168.103.208/beacon/024a143b

    http://170.168.103.208/beacon/765885f4

    https://www.dropbox.com/sc/fi/q7Wv7uly06okwokmjshy7/1.zip

    https://ainttby.com/6f54.js

    https://foodgefy.com/6o0jk.js

    https://ctpsih.com/2d5h.js

    Hash : 

    c15f44d6abb3a2a882ffdc9b90f7bb5d1a233c0aa183eb765aa8bfba5832c8c6

    7d03573b8f1dbb62cd25aecd82e790450fce4aa3f29ef07a0d02c8dd5bd29995

    90553fc9208cd64f1f827fd07edec3c2aa0a4510471015ce44c7411898f35039

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 :

    domainname like "http://45.61.138.224" or url like "http://45.61.138.224" or siteurl like "http://45.61.138.224" or domainname like "http://170.168.103.208/beacon/024a143b" or url like "http://170.168.103.208/beacon/024a143b" or siteurl like "http://170.168.103.208/beacon/024a143b" or domainname like "https://ctpsih.com/2d5h.js" or url like "https://ctpsih.com/2d5h.js" or siteurl like "https://ctpsih.com/2d5h.js" or domainname like "http://158.247.252.178/beacon/024a143b" or url like "http://158.247.252.178/beacon/024a143b" or siteurl like "http://158.247.252.178/beacon/024a143b" or domainname like "https://ainttby.com/6f54.js" or url like "https://ainttby.com/6f54.js" or siteurl like "https://ainttby.com/6f54.js" or domainname like "http://170.168.103.208/beacon/765885f4" or url like "http://170.168.103.208/beacon/765885f4" or siteurl like "http://170.168.103.208/beacon/765885f4" or domainname like "https://foodgefy.com/6o0jk.js" or url like "https://foodgefy.com/6o0jk.js" or siteurl like "https://foodgefy.com/6o0jk.js" or domainname like "https://www.dropbox.com/sc/fi/q7Wv7uly06okwokmjshy7/1.zip" or url like "https://www.dropbox.com/sc/fi/q7Wv7uly06okwokmjshy7/1.zip" or siteurl like "https://www.dropbox.com/sc/fi/q7Wv7uly06okwokmjshy7/1.zip"

    Detection Query 2 :

    sha256hash IN ("c15f44d6abb3a2a882ffdc9b90f7bb5d1a233c0aa183eb765aa8bfba5832c8c6","7d03573b8f1dbb62cd25aecd82e790450fce4aa3f29ef07a0d02c8dd5bd29995","90553fc9208cd64f1f827fd07edec3c2aa0a4510471015ce44c7411898f35039")

    Reference: 

    https://www.trendmicro.com/en_us/research/26/c/kongtuke-clickfix-abuse-of-compromised-wordpress-sites.html


    Tags

    MalwareThreat ActorKONGTUKEWordPressRATClickFix

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2026 by Gurucul - All rights reserved.