Through the Lens of MDR: Analysis of KongTuke’s ClickFix Abuse of Compromised WordPress Sites

While the execution of the bytecode was not successful in our tests, we saw that it contains strings and a reference to another file named AppDataLocalMicrosoftWindowsSoftwareProtectionPlatformrun.pyw, which was also dropped in the same infected host.

The following is a list of extracted names/functions:

Names: (‘psutil’, ‘os’, ‘subprocess’, ‘sys’, ‘time’, ‘getcwd’, ‘var_de19fc0291090dcb’, ‘path’, ‘normcase’, ‘var_2e81fe4a2321309f’, ‘_decrypt_str’, ‘var_358b2857d44181b1’, ‘startswith’, ‘exit’, ‘main’, ‘__name__’)

Analyzing the file run.pyw shows that it has similar structure and flow as udp.pyw, but with a larger data this time around. Applying the same deobfuscation method, we saw run.pyw loads the Python bytecode via the marshal module. The following is a list of extracted names/functions:

Names: (‘socket’, ‘sys’, ‘subprocess’, ‘os’, ‘html’, ‘re’, ‘time’, ‘bs4’, ‘BeautifulSoup’, ‘threading’, ‘psutil’, ‘requests’, ‘Crypto.Util.Padding’, ‘Crypto’, ‘base64’, ‘getcwd’, ‘var_de19fc0291090dcb’, ‘path’, ‘normcase’, ‘var_2e81fe4a2321309f’, ‘_decrypt_str’, ‘var_358b2857d44181b1’, ‘startswith’, ‘exit’, ‘var_c68c19a0ea74d15a’, ‘var_2b6b8037e2428633’, ‘var_d7ee27df16fe75f8’, ‘var_0d6f193b19a44f4a’, ‘var_6560076c59ac87ac’, ‘check’, ‘Thread’, ‘var_fd8ce270b6003277’, ‘start’, ‘get’, ‘var_cea36d54b621a48f’, ‘text’, ‘var_d09efe76ced85d6d’, ‘find’, ‘var_0e23b5f319056839’, ‘var_7c5f6bb71383d3f3’, ‘split’, ‘var_6d5d29b8058bdf65’, ‘var_687b9b2c70a5c665’, ‘var_faf655de6214f02a’, ‘var_86c69be4c78f2621’, ‘b64decode’, ‘var_1363a4c4e644abdf’, ‘bytes’, ‘enumerate’, ‘len’, ‘var_40eab56476d5b9f6’, ‘decode’, ‘var_ae751dbc35895e07’, ‘var_794ede7b4b034ebe’, ‘xor_encrypt_decrypt’, ‘get_codepage’, ‘run_command’, ‘get_domain’, ‘connect_to_server’, ‘authenticate’, ‘main’, ‘__name__’)

The bytecode includes string entries related to functions for internet access, system control, and self-concealment, indicating it is a persistent backdoor designed for remote access and command execution.

The Kongtuke threat group is not replacing their old tradecraft but expanding it. While security reporting from Huntress highlighted the emergence of the new CrashFix technique, our MDR findings confirm that the group still uses compromised WordPress websites and fake CAPTCHA lures as infection vector.

Both delivery paths — CrashFix browser-extension abuse and ClickFix/fake CAPTCHA chains — ultimately converge on the same objective: the deployment of the Python-based modeloRAT. The consistency of the payload across different initial access methods demonstrates a mature, modular operation. Kongtuke is diversifying entry techniques while maintaining a stable and reliable post-exploitation framework.

Telemetry from VirusTotal further supports that this activity could still be ongoing. Multiple compromised websites remain injected, increasing the likelihood of continued exposure. This also demonstrates the group’s focus on scale, persistence, and adaptability rather than single-wave campaigns.

Organizations can mitigate this threat by adopting a layered defensive approach:

• Harden and maintain web servers. Regularly patch and update WordPress core files, themes, and plugins to reduce the risk of site compromise. Disable unused plugins and enforce strong administrative controls.
• Enhance endpoint detection and monitoring (EDR). Configure EDR solutions to alert on suspicious command-line activity, encoded PowerShell, unusual parent-child process relationships, and anomalous outbound network connections.
• Strengthen user awareness training. Educate users that legitimate websites and security tools will never require copying and running commands to fix errors or complete CAPTCHA-style verifications.

Because this campaign ultimately relies on human-initiated execution, combining technical controls with continuous user education is essential to effectively reduce organizational risk.

TrendAI Vision One™ is the industry-leading AI cybersecurity platform that centralizes cyber risk exposure management, security operations, and robust layered protection. 

TrendAI Vision One™ Threat Intelligence Hub provides the latest insights on emerging threats and threat actors, exclusive strategic reports from TrendAI™ Research, and TrendAI Vision One™ Threat Intelligence Feed in the TrendAI Vision One™ platform. 

Emerging Threats: 
KongTuke’s ClickFix Abuse of Compromised WordPress Sites

KongTuke’s ClickFix Abuse of Compromised WordPress Sites

TrendAI Vision One™ customers can use the Search App to match or hunt the malicious indicators mentioned in this blog post with data in their environment.  

Hunting Queries

malName:*MODELORAT* AND eventName:MALWARE_DETECTION AND LogType: detection

eventSubId: 101 AND parentCmd:services.exe AND processCmd:Schedule AND objectFilePath:C:\Windows\System32\Tasks\SoftwareProtection

More hunting queries are available for TrendAI Vision One™ with Threat Intelligence Hub entitlement enabled. 

About Author

AndyC

Andy Curtis is an award-winning security consultant, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by state and federal government, leading healthcare and banking providers across three continents. He has given talks about computer security for some of the world’s largest companies, worked with law enforcement agencies on investigations into hacking groups, and is a regular voice on TV and radio explaining IT security threats.

See author's posts

Tags: another, bytecode, contains, execution, Reference, strings, successful, tests, that, Trend Micro Research : Articles, News, Reports, Trend Micro Research : Cyber Threats, Trend Micro Research : Phishing, Trend Micro Research : Research, While