Threat actors are scaling ClickFix-style “self-infection” attacks that abuse compromised legitimate websites to trick users into manually executing malicious PowerShell via the Windows Run dialog or a terminal. Reporting describes the KongTuke campaign evolving its tradecraft by retrieving next-stage instructions from DNS TXT records rather than over HTTP, reducing visibility for controls focused on web traffic and blending activity into normal DNS resolution. The objective is follow-on malware deployment and persistence, including installation of remote-access tooling such as the Interlock RAT.
Separately, researchers described a large watering-hole operation dubbed IClickFix that poisoned 3,800+ WordPress sites with a fake Cloudflare Turnstile CAPTCHA prompt that instructs visitors to copy/paste and run a “fix” command. Once executed, the staged PowerShell pulls commodity payloads including NetSupport RAT, Emmenhtal Loader, and XFiles Stealer, and uses tracking/targeting logic (e.g., an ic-tracker-js HTML tag) to manage victim flow. In contrast, a different WordPress compromise technique called “directory shadowing” was reported as an SEO-spam operation that creates physical folders matching WordPress permalinks and serves gambling content selectively to crawlers (via User-Agent checks), which is not part of the ClickFix execution chain.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
7 events from the most recent confirmed update back to the earliest known activity.
Sansec reported that a US enterprise cybersecurity vendor's homepage was compromised to serve a ClickFix clipboard-hijacker loader via injected JavaScript on a WordPress site. The campaign used two C2 domains, stromao.com and windlrr.com, both registered on 2026-04-08, and employed anti-analysis techniques including proof-of-work, fingerprinting, and automation detection.
Breakglass Intelligence reported that KongTuke is not a single malware family but a traffic distribution system and initial access broker that compromises WordPress sites and sells victim access to multiple downstream customers, including ransomware and RAT operators. The investigation linked the operation to more than 300 compromised WordPress sites, 39 TDS domains, 25+ C2 IPs, and activity continuing through 2026-03-09, while also publishing detection patterns such as HTTP downloads from port 3456.
Unit 42 disclosed that newer KongTuke variants retrieve staging instructions through DNS TXT record lookups instead of HTTP downloads, enabling a more fileless infection chain and making detection harder for defenses focused on web traffic. The initial PowerShell code performs a DNS query, parses the TXT response, and executes the returned instructions in memory.
By the time of Sekoia's reporting, the IClickFix cluster had compromised more than 3,800 WordPress sites and was assessed as potentially causing thousands of infections per day. The campaign delivered payloads including NetSupport RAT, Emmenhtal Loader, and XFiles Stealer through fake Cloudflare Turnstile CAPTCHA pages.
Unit 42 reported that the KongTuke campaign has been active since mid-2025, using fake browser errors and CAPTCHA or verification prompts on legitimate but compromised sites to socially engineer users into executing malicious PowerShell or Run commands. The infections often led to deployment of Interlock RAT or other malware.
During 2025, the IClickFix framework evolved by adding more JavaScript stages and using YOURLS as a traffic distribution system to evade detection. Researchers also observed victim tracking and filtering through an HTML tag identified as ic-tracker-js.
Sekoia researchers said the IClickFix campaign has been active since late 2024, compromising legitimate WordPress sites and using fake CAPTCHA prompts to trick visitors into running malicious commands. The activity marked an early stage of large-scale abuse of trusted websites for malware delivery.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
5 references tracked. Mallory keeps watching after this page renders.
ctrlaltintel.com
Open sourcesansec.io
Open sourceintel.breakglass.tech
Open sourcecybersecuritynews.com
Open sourcesecurityonline.info
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.