The KongTuke threat group continues to deploy the Python-based modeloRAT through compromised WordPress websites, utilizing a "ClickFix" strategy involving fake CAPTCHA lures. Despite the emergence of the newer "CrashFix" browser extension method, this traditional delivery chain remains active, employing injected JavaScript to trick users into executing malicious PowerShell commands.
The attack leverages legitimate system tools like finger.exe and trusted cloud services such as Dropbox to evade detection while establishing remote command execution. Once active, the malware performs extensive reconnaissance, checks for corporate domain membership, and avoids analysis environments by scanning for common security tools and debuggers.
Persistence is achieved through registry run keys and scheduled tasks disguised as legitimate system services. The payload features a sophisticated multi-stage infection process with layered obfuscation, including AES-256 encryption and Zlib compression, to maintain a long-term presence within the target environment.
Top comments (0)