{"id":60293,"date":"2026-03-10T00:00:00","date_gmt":"2026-03-10T00:00:00","guid":{"rendered":"urn:uuid:7b84d5db-10d8-28c5-2fa4-ffd34b0d875c"},"modified":"2026-03-10T00:00:00","modified_gmt":"2026-03-10T00:00:00","slug":"through-the-lens-of-mdr-analysis-of-kongtukes-clickfix-abuse-of-compromised-wordpress-sites","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/through-the-lens-of-mdr-analysis-of-kongtukes-clickfix-abuse-of-compromised-wordpress-sites\/","title":{"rendered":"Through the Lens of MDR: Analysis of KongTuke\u2019s ClickFix Abuse of Compromised WordPress Sites"},"content":{"rendered":"<p><img decoding=\"async\" src=\"https:\/\/trendmicro.scene7.com\/is\/image\/trendmicro\/clickfix-976:Large?qlt=80\"><\/p>\n<div><img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/thumbnails\/26\/clickfix-976.png\" class=\"ff-og-image-inserted\"><\/div>\n<p>While the execution of the bytecode was not successful in our tests, we saw that it contains strings and a reference to another file named <b>AppData\\Local\\Microsoft\\Windows\\SoftwareProtectionPlatform\\run.pyw<\/b>, which was also dropped in the same infected host.<\/p>\n<p>The following is a list of extracted names\/functions:<\/p>\n<p><span class=\"blockquote\">Names: (&#8216;psutil&#8217;, &#8216;os&#8217;, &#8216;subprocess&#8217;, &#8216;sys&#8217;, &#8216;time&#8217;, &#8216;getcwd&#8217;, &#8216;var_de19fc0291090dcb&#8217;, &#8216;path&#8217;, &#8216;normcase&#8217;, &#8216;var_2e81fe4a2321309f&#8217;, &#8216;_decrypt_str&#8217;, &#8216;var_358b2857d44181b1&#8217;, &#8216;startswith&#8217;, &#8216;exit&#8217;, &#8216;main&#8217;, &#8216;__name__&#8217;)<\/span><\/p>\n<p>Analyzing the file run.pyw shows that it has similar structure and flow as udp.pyw, but with a larger data this time around. Applying the same deobfuscation method, we saw run.pyw loads the Python bytecode via the marshal module. The following is a list of extracted names\/functions:<\/p>\n<p><span class=\"blockquote\">Names: (&#8216;socket&#8217;, &#8216;sys&#8217;, &#8216;subprocess&#8217;, &#8216;os&#8217;, &#8216;html&#8217;, &#8216;re&#8217;, &#8216;time&#8217;, &#8216;bs4&#8217;, &#8216;BeautifulSoup&#8217;, &#8216;threading&#8217;, &#8216;psutil&#8217;, &#8216;requests&#8217;, &#8216;Crypto.Util.Padding&#8217;, &#8216;Crypto&#8217;, &#8216;base64&#8217;, &#8216;getcwd&#8217;, &#8216;var_de19fc0291090dcb&#8217;, &#8216;path&#8217;, &#8216;normcase&#8217;, &#8216;var_2e81fe4a2321309f&#8217;, &#8216;_decrypt_str&#8217;, &#8216;var_358b2857d44181b1&#8217;, &#8216;startswith&#8217;, &#8216;exit&#8217;, &#8216;var_c68c19a0ea74d15a&#8217;, &#8216;var_2b6b8037e2428633&#8217;, &#8216;var_d7ee27df16fe75f8&#8217;, &#8216;var_0d6f193b19a44f4a&#8217;, &#8216;var_6560076c59ac87ac&#8217;, &#8216;check&#8217;, &#8216;Thread&#8217;, &#8216;var_fd8ce270b6003277&#8217;, &#8216;start&#8217;, &#8216;get&#8217;, &#8216;var_cea36d54b621a48f&#8217;, &#8216;text&#8217;, &#8216;var_d09efe76ced85d6d&#8217;, &#8216;find&#8217;, &#8216;var_0e23b5f319056839&#8217;, &#8216;var_7c5f6bb71383d3f3&#8217;, &#8216;split&#8217;, &#8216;var_6d5d29b8058bdf65&#8217;, &#8216;var_687b9b2c70a5c665&#8217;, &#8216;var_faf655de6214f02a&#8217;, &#8216;var_86c69be4c78f2621&#8217;, &#8216;b64decode&#8217;, &#8216;var_1363a4c4e644abdf&#8217;, &#8216;bytes&#8217;, &#8216;enumerate&#8217;, &#8216;len&#8217;, &#8216;var_40eab56476d5b9f6&#8217;, &#8216;decode&#8217;, &#8216;var_ae751dbc35895e07&#8217;, &#8216;var_794ede7b4b034ebe&#8217;, &#8216;xor_encrypt_decrypt&#8217;, &#8216;get_codepage&#8217;, &#8216;run_command&#8217;, &#8216;get_domain&#8217;, &#8216;connect_to_server&#8217;, &#8216;authenticate&#8217;, &#8216;main&#8217;, &#8216;__name__&#8217;)<\/span><\/p>\n<p>The bytecode includes string entries related to functions for internet access, system control, and self-concealment, indicating it is a persistent backdoor designed for remote access and command execution.<\/p>\n<p>The Kongtuke threat group is not replacing their old tradecraft but expanding it. While security reporting from Huntress highlighted the emergence of the new CrashFix technique, our MDR findings confirm that the group still uses compromised WordPress websites and fake CAPTCHA lures as infection vector.<\/p>\n<p>Both delivery paths \u2014 CrashFix browser-extension abuse and ClickFix\/fake CAPTCHA chains \u2014 ultimately converge on the same objective: the deployment of the Python-based modeloRAT. The consistency of the payload across different initial access methods demonstrates a mature, modular operation. Kongtuke is diversifying entry techniques while maintaining a stable and reliable post-exploitation framework.<\/p>\n<p>Telemetry from VirusTotal further supports that this activity could still be ongoing. Multiple compromised websites remain injected, increasing the likelihood of continued exposure. This also demonstrates the group\u2019s focus on scale, persistence, and adaptability rather than single-wave campaigns.<\/p>\n<p>Organizations can mitigate this threat by adopting a layered defensive approach:<\/p>\n<ul>\n<li><span class=\"rte-red-bullet\"><b>Harden and maintain web servers.<\/b> Regularly patch and update WordPress core files, themes, and plugins to reduce the risk of site compromise. Disable unused plugins and enforce strong administrative controls.<\/span><\/li>\n<li><span class=\"rte-red-bullet\"><b>Enhance endpoint detection and monitoring (EDR).<\/b> Configure EDR solutions to alert on suspicious command-line activity, encoded PowerShell, unusual parent-child process relationships, and anomalous outbound network connections.<\/span><\/li>\n<li><span class=\"rte-red-bullet\"><b>Strengthen user awareness training.<\/b> Educate users that legitimate websites and security tools will never require copying and running commands to fix errors or complete CAPTCHA-style verifications.<\/span><\/li>\n<\/ul>\n<p>Because this campaign ultimately relies on human-initiated execution, combining technical controls with continuous user education is essential to effectively reduce organizational risk.<\/p>\n<p><a href=\"https:\/\/www.trendmicro.com\/en_us\/business\/products\/one-platform.html\">TrendAI&nbsp;Vision One\u2122<\/a>&nbsp;is the industry-leading AI cybersecurity platform that centralizes cyber risk exposure management, security operations, and robust layered protection.&nbsp;<\/p>\n<p><a href=\"https:\/\/www.trendmicro.com\/en_us\/business\/products\/threat-intelligence.html\">TrendAI Vision One\u2122 Threat Intelligence Hub<\/a>&nbsp;provides&nbsp;the latest insights on emerging threats and threat actors, exclusive strategic reports from&nbsp;TrendAI\u2122 Research, and&nbsp;TrendAI&nbsp;Vision One\u2122&nbsp;Threat Intelligence Feed in the&nbsp;TrendAI&nbsp;Vision One\u2122&nbsp;platform.&nbsp;<\/p>\n<p>Emerging Threats:&nbsp;<br \/><a href=\"https:\/\/portal.xdr.trendmicro.com\/index.html#\/app\/ti\/intelligence_insights?name=KongTuke's%20ClickFix%20Abuse%20of%20Compromised%20WordPress%20Sites\" title=\"KongTuke's ClickFix Abuse of Compromised WordPress Sites\">KongTuke&#8217;s ClickFix Abuse of Compromised WordPress Sites<\/a><b><\/b><\/p>\n<p><a href=\"https:\/\/portal.xdr.trendmicro.com\/index.html#\/app\/ti\/intelligence?intrusionSet=KongTuke's%20ClickFix%20Abuse%20of%20Compromised%20WordPress%20Sites\">KongTuke&#8217;s ClickFix Abuse of Compromised WordPress Sites<\/a><b><\/b><\/p>\n<p>TrendAI&nbsp;Vision One\u2122&nbsp;customers can use the Search App to match or hunt the malicious indicators mentioned in this blog post with data in their environment.&nbsp;&nbsp;<\/p>\n<h2><span class=\"body-subhead-title\">Hunting Queries<\/span><\/h2>\n<p><i>malName:*MODELORAT* AND eventName:MALWARE_DETECTION AND LogType: detection<\/i><\/p>\n<p>eventSubId: 101 AND parentCmd:services.exe AND processCmd:Schedule AND objectFilePath:C:\\\\Windows\\\\System32\\\\Tasks\\\\SoftwareProtection<b><\/b><\/p>\n<p>More hunting queries are available for TrendAI Vision One\u2122 with <a href=\"https:\/\/www.trendmicro.com\/en_us\/business\/products\/threat-intelligence.html\">Threat Intelligence Hub<\/a> entitlement enabled.&nbsp;<\/p>\n<p> Read More <a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/26\/c\/kongtuke-clickfix-abuse-of-compromised-wordpress-sites.html\">HERE<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Our analysis of an active KongTuke campaign deploying modeloRAT \u2014 malware capable of reconnaissance, command execution, and persistent access \u2014 through compromised WordPress sites and fake CAPTCHA lures shows that the group still operates this delivery chain in parallel with the newer CrashFix technique. Read More HERE&#8230;<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"colormag_page_layout":"default_layout","footnotes":""},"categories":[61],"tags":[9510,9511,9577,9509],"class_list":["post-60293","post","type-post","status-publish","format-standard","hentry","category-trendmicro","tag-trend-micro-research-articles-news-reports","tag-trend-micro-research-cyber-threats","tag-trend-micro-research-phishing","tag-trend-micro-research-research"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v28.0 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Through the Lens of MDR: Analysis of KongTuke\u2019s ClickFix Abuse of Compromised WordPress Sites 2026 | ThreatsHub Cybersecurity News<\/title>\n<meta name=\"description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.threatshub.org\/blog\/through-the-lens-of-mdr-analysis-of-kongtukes-clickfix-abuse-of-compromised-wordpress-sites\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Through the Lens of MDR: Analysis of KongTuke\u2019s ClickFix Abuse of Compromised WordPress Sites 2026 | ThreatsHub Cybersecurity News\" \/>\n<meta property=\"og:description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.threatshub.org\/blog\/through-the-lens-of-mdr-analysis-of-kongtukes-clickfix-abuse-of-compromised-wordpress-sites\/\" \/>\n<meta property=\"og:site_name\" content=\"ThreatsHub Cybersecurity News\" \/>\n<meta property=\"article:published_time\" content=\"2026-03-10T00:00:00+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/trendmicro.scene7.com\/is\/image\/trendmicro\/clickfix-976:Large?qlt=80\" \/>\n<meta name=\"author\" content=\"TH Author\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@threatshub\" \/>\n<meta name=\"twitter:site\" content=\"@threatshub\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"TH Author\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"4 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/through-the-lens-of-mdr-analysis-of-kongtukes-clickfix-abuse-of-compromised-wordpress-sites\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/through-the-lens-of-mdr-analysis-of-kongtukes-clickfix-abuse-of-compromised-wordpress-sites\\\/\"},\"author\":{\"name\":\"TH Author\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\"},\"headline\":\"Through the Lens of MDR: Analysis of KongTuke\u2019s ClickFix Abuse of Compromised WordPress Sites\",\"datePublished\":\"2026-03-10T00:00:00+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/through-the-lens-of-mdr-analysis-of-kongtukes-clickfix-abuse-of-compromised-wordpress-sites\\\/\"},\"wordCount\":744,\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/through-the-lens-of-mdr-analysis-of-kongtukes-clickfix-abuse-of-compromised-wordpress-sites\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/trendmicro.scene7.com\\\/is\\\/image\\\/trendmicro\\\/clickfix-976:Large?qlt=80\",\"keywords\":[\"Trend Micro Research : Articles, News, Reports\",\"Trend Micro Research : Cyber Threats\",\"Trend Micro Research : Phishing\",\"Trend Micro Research : Research\"],\"articleSection\":[\"TrendMicro\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/through-the-lens-of-mdr-analysis-of-kongtukes-clickfix-abuse-of-compromised-wordpress-sites\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/through-the-lens-of-mdr-analysis-of-kongtukes-clickfix-abuse-of-compromised-wordpress-sites\\\/\",\"name\":\"Through the Lens of MDR: Analysis of KongTuke\u2019s ClickFix Abuse of Compromised WordPress Sites 2026 | ThreatsHub Cybersecurity News\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/through-the-lens-of-mdr-analysis-of-kongtukes-clickfix-abuse-of-compromised-wordpress-sites\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/through-the-lens-of-mdr-analysis-of-kongtukes-clickfix-abuse-of-compromised-wordpress-sites\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/trendmicro.scene7.com\\\/is\\\/image\\\/trendmicro\\\/clickfix-976:Large?qlt=80\",\"datePublished\":\"2026-03-10T00:00:00+00:00\",\"description\":\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/through-the-lens-of-mdr-analysis-of-kongtukes-clickfix-abuse-of-compromised-wordpress-sites\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/through-the-lens-of-mdr-analysis-of-kongtukes-clickfix-abuse-of-compromised-wordpress-sites\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/through-the-lens-of-mdr-analysis-of-kongtukes-clickfix-abuse-of-compromised-wordpress-sites\\\/#primaryimage\",\"url\":\"https:\\\/\\\/trendmicro.scene7.com\\\/is\\\/image\\\/trendmicro\\\/clickfix-976:Large?qlt=80\",\"contentUrl\":\"https:\\\/\\\/trendmicro.scene7.com\\\/is\\\/image\\\/trendmicro\\\/clickfix-976:Large?qlt=80\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/through-the-lens-of-mdr-analysis-of-kongtukes-clickfix-abuse-of-compromised-wordpress-sites\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Trend Micro Research : Articles, News, Reports\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/tag\\\/trend-micro-research-articles-news-reports\\\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Through the Lens of MDR: Analysis of KongTuke\u2019s ClickFix Abuse of Compromised WordPress Sites\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"name\":\"ThreatsHub Cybersecurity News\",\"description\":\"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"alternateName\":\"Threatshub.org\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\",\"name\":\"ThreatsHub.org\",\"alternateName\":\"Threatshub.org\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"width\":432,\"height\":435,\"caption\":\"ThreatsHub.org\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/x.com\\\/threatshub\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\",\"name\":\"TH Author\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"caption\":\"TH Author\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Through the Lens of MDR: Analysis of KongTuke\u2019s ClickFix Abuse of Compromised WordPress Sites 2026 | ThreatsHub Cybersecurity News","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.threatshub.org\/blog\/through-the-lens-of-mdr-analysis-of-kongtukes-clickfix-abuse-of-compromised-wordpress-sites\/","og_locale":"en_US","og_type":"article","og_title":"Through the Lens of MDR: Analysis of KongTuke\u2019s ClickFix Abuse of Compromised WordPress Sites 2026 | ThreatsHub Cybersecurity News","og_description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","og_url":"https:\/\/www.threatshub.org\/blog\/through-the-lens-of-mdr-analysis-of-kongtukes-clickfix-abuse-of-compromised-wordpress-sites\/","og_site_name":"ThreatsHub Cybersecurity News","article_published_time":"2026-03-10T00:00:00+00:00","og_image":[{"url":"https:\/\/trendmicro.scene7.com\/is\/image\/trendmicro\/clickfix-976:Large?qlt=80","type":"","width":"","height":""}],"author":"TH Author","twitter_card":"summary_large_image","twitter_creator":"@threatshub","twitter_site":"@threatshub","twitter_misc":{"Written by":"TH Author","Est. reading time":"4 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.threatshub.org\/blog\/through-the-lens-of-mdr-analysis-of-kongtukes-clickfix-abuse-of-compromised-wordpress-sites\/#article","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/through-the-lens-of-mdr-analysis-of-kongtukes-clickfix-abuse-of-compromised-wordpress-sites\/"},"author":{"name":"TH Author","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476"},"headline":"Through the Lens of MDR: Analysis of KongTuke\u2019s ClickFix Abuse of Compromised WordPress Sites","datePublished":"2026-03-10T00:00:00+00:00","mainEntityOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/through-the-lens-of-mdr-analysis-of-kongtukes-clickfix-abuse-of-compromised-wordpress-sites\/"},"wordCount":744,"publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/through-the-lens-of-mdr-analysis-of-kongtukes-clickfix-abuse-of-compromised-wordpress-sites\/#primaryimage"},"thumbnailUrl":"https:\/\/trendmicro.scene7.com\/is\/image\/trendmicro\/clickfix-976:Large?qlt=80","keywords":["Trend Micro Research : Articles, News, Reports","Trend Micro Research : Cyber Threats","Trend Micro Research : Phishing","Trend Micro Research : Research"],"articleSection":["TrendMicro"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.threatshub.org\/blog\/through-the-lens-of-mdr-analysis-of-kongtukes-clickfix-abuse-of-compromised-wordpress-sites\/","url":"https:\/\/www.threatshub.org\/blog\/through-the-lens-of-mdr-analysis-of-kongtukes-clickfix-abuse-of-compromised-wordpress-sites\/","name":"Through the Lens of MDR: Analysis of KongTuke\u2019s ClickFix Abuse of Compromised WordPress Sites 2026 | ThreatsHub Cybersecurity News","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/through-the-lens-of-mdr-analysis-of-kongtukes-clickfix-abuse-of-compromised-wordpress-sites\/#primaryimage"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/through-the-lens-of-mdr-analysis-of-kongtukes-clickfix-abuse-of-compromised-wordpress-sites\/#primaryimage"},"thumbnailUrl":"https:\/\/trendmicro.scene7.com\/is\/image\/trendmicro\/clickfix-976:Large?qlt=80","datePublished":"2026-03-10T00:00:00+00:00","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","breadcrumb":{"@id":"https:\/\/www.threatshub.org\/blog\/through-the-lens-of-mdr-analysis-of-kongtukes-clickfix-abuse-of-compromised-wordpress-sites\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.threatshub.org\/blog\/through-the-lens-of-mdr-analysis-of-kongtukes-clickfix-abuse-of-compromised-wordpress-sites\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/through-the-lens-of-mdr-analysis-of-kongtukes-clickfix-abuse-of-compromised-wordpress-sites\/#primaryimage","url":"https:\/\/trendmicro.scene7.com\/is\/image\/trendmicro\/clickfix-976:Large?qlt=80","contentUrl":"https:\/\/trendmicro.scene7.com\/is\/image\/trendmicro\/clickfix-976:Large?qlt=80"},{"@type":"BreadcrumbList","@id":"https:\/\/www.threatshub.org\/blog\/through-the-lens-of-mdr-analysis-of-kongtukes-clickfix-abuse-of-compromised-wordpress-sites\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.threatshub.org\/blog\/"},{"@type":"ListItem","position":2,"name":"Trend Micro Research : Articles, News, Reports","item":"https:\/\/www.threatshub.org\/blog\/tag\/trend-micro-research-articles-news-reports\/"},{"@type":"ListItem","position":3,"name":"Through the Lens of MDR: Analysis of KongTuke\u2019s ClickFix Abuse of Compromised WordPress Sites"}]},{"@type":"WebSite","@id":"https:\/\/www.threatshub.org\/blog\/#website","url":"https:\/\/www.threatshub.org\/blog\/","name":"ThreatsHub Cybersecurity News","description":"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform","publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"alternateName":"Threatshub.org","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.threatshub.org\/blog\/#organization","name":"ThreatsHub.org","alternateName":"Threatshub.org","url":"https:\/\/www.threatshub.org\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","width":432,"height":435,"caption":"ThreatsHub.org"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/threatshub"]},{"@type":"Person","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476","name":"TH Author","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","caption":"TH Author"}}]}},"_links":{"self":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/60293","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/comments?post=60293"}],"version-history":[{"count":0,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/60293\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media?parent=60293"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/categories?post=60293"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/tags?post=60293"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}