#ModeloRAT — Search

No JavaScript? That's cool, but you'll need to disable Turbo mode as it uses JavaScript in the client.

low detection games. py bcb29a2360358f3facb63b498d566c8b2e789927 #ModeloRAT C2 hardcoded "138.68.15.116", "67.217.228.8", "45.59.114.38"

Cybersecurity News Everyday @TweetThreatNews · Mar 13

KongTuke exploits compromised WordPress sites with fake CAPTCHA lures to deploy Python-based modeloRAT, enabling reconnaissance, remote commands, and persistent access using PowerShell and Telegram. #KongTuke #modeloRAT #WordPressAbuse ift.tt/acWbkL7

Through the Lens of MDR: Analysis of KongTuke’s ClickFix Abuse of Compromised WordPress Sites

TrendAI Vision One™ MDR observed an active KongTuke campaign using compromised WordPress sites and fake CAPTCHA/CrashFix lures to deliver the Python-based modeloRAT, which performs reconnaissance,...

From hendryadrian.com

Meridian Group @MeridianEU · Feb 18

#clickfix campaign shifts to DNS-based payload delivery, instructing victims to run nslookup against attacker-controlled servers. DNS responses embed PowerShell to fetch ZIP payloads, leading to #ModeloRAT deployment and persistent remote access.

Cybersecurity News Everyday @TweetThreatNews · Feb 15

Microsoft reveals a ClickFix attack manipulating users to run nslookup via Run dialog and cmd.exe for DNS-based malware staging, deploying payloads like ModeloRAT, CastleLoader, and Lumma Stealer. #ClickFixAttack #DNSStaging #ModeloRAT ift.tt/tmRr6ap

Microsoft Discloses DNS-Based ClickFix Attack Using Nslookup for Malware Staging

Microsoft disclosed a new ClickFix variant that tricks users into running nslookup via the Windows Run dialog and cmd.exe to perform DNS-based staging and fetch a second-stage payload. The chain...

From hendryadrian.com

177

Threat Intelligence @threatintel · Jan 23

#ThreatProtection #ModeloRAT malware deployments attributed to the #KongTuke threat actor, read more about Symantec's protection: broadcom.com/support/securi…

1.6K

omvapt @omvapt · Jan 20

#CrashFix #Chrome_Extension Delivers #ModeloRAT Using #ClickFix-Style #Browser_Crash Lures ift.tt/zDYjP8s

Cybersecurity News Everyday @TweetThreatNews · Jan 20

KongTuke’s NexShield Chrome extension mimics uBlock Origin Lite but replaces telemetry with attacker control, deploying a multi-stage infection including ModeloRAT and GateKeeper payloads using obfuscated PowerShell and LOLBins. #KongTuke #ModeloRAT ift.tt/aJy6KIE

159

Cybersecurity News Everyday @TweetThreatNews · Jan 20

The NexShield fake ad blocker triggers browser crashes via a ‘CrashFix’ attack to deploy ModeloRAT malware, enabling system control and persistence. Linked to threat actor KongTuke targeting enterprises. #ModeloRAT #BrowserAttack #KongTuke ift.tt/LW9wzXR

134

ReconBee @ReconBee · Jan 19

CrashFix Chrome Extension Delivers ModeloRAT Using ClickFix-Style Browser Crash Lures reconbee.com/crashfix-chrom… #crashFix #chromeextension #ModeloRAT #clickfixstyle #browser #lures