What is KongTuke ClickFix?

ClickFix is KongTuke's technique using fake CAPTCHAs on hacked WordPress sites to deliver modeloRAT malware via drive-by downloads.

How does modeloRAT infect WordPress visitors?

Visitors click a bogus CAPTCHA on a compromised site; JS payload installs the RAT for spying and control without further interaction.

Is KongTuke's ClickFix still active in 2024?

Yes—MDR analysis confirms it's running parallel to newer tactics like CrashFix on hundreds of sites.

🎯 Threat Intelligence

KongTuke's ClickFix Won't Die: modeloRAT Ravages WordPress Sites

500+ hacked WordPress sites. That's the grim tally from MDR scans, all pumping KongTuke's ClickFix straight into users' browsers. Old malware habits die hard.

theAIcatchup Apr 08, 2026 4 min read

Compromised WordPress site displaying fake CAPTCHA lure for KongTuke modeloRAT delivery

⚡ Key Takeaways

KongTuke persists with ClickFix on 500+ compromised WordPress sites, delivering modeloRAT via fake CAPTCHAs. 𝕏
ClickFix runs alongside newer CrashFix, proving old tricks scale better for mass infections. 𝕏
WordPress admins: Audit plugins, enable WAF, or risk becoming malware distributors. 𝕏

Published by

theAIcatchup

Threat intelligence. Zero noise.

#ClickFix #KongTuke #WordPress malware #modeloRAT

Worth sharing?

Get the best Cybersecurity stories of the week in your inbox — no noise, no spam.

Originally reported by Trend Micro Research

⚡ Key Takeaways

The 60-Second TL;DR

theAIcatchup

Share this article

Worth sharing?

Related Stories

Venom Stealer: The Malware That Turns One-Time Heists into Endless Data Streams

Infiniti Stealer: macOS's Sneaky New Thief via Fake CAPTCHA and Terminal Tricks

Apple's Terminal Lifeline: macOS Now Blocks ClickFix Paste Bombs Before They Explode

$21 Billion Vanishes: FBI's Grim Cybercrime Tally for 2025

Stay in the loop