GhostWeaver is a fileless PowerShell RAT using GZip-compressed JSON over TLS1.0 on port 25658, linked to TA582/TAG-124. Four DGAs, CMSTPLUA UAC bypass and PEB masquerade observed. Active C2s documented. #GhostWeaver #TA582 #Pantera https://bit.ly/4unsp5A
Fake "Verify You Are Human" CAPTCHA page that can appear when viewing a page from a legitimate but compromised website.
Text from KongTuke's fake CAPTCHA page injected into the viewer's clipboard, and the CAPTCHA page contains instructions to run the text as a command in Window's Run window.
Traffic from the KongTuke activity and resulting infection filtered in Wireshark.
Reposted with correct malware names:
2026-02-02 (Monday) #KongTuke #ClickFix activity leads to #MintsLoader and #GhostWeaver RAT
Today's ClickFix uses the "finger" command, a tactic seen in previous ClickFix activity.
Further details available at www.malware-traffic-analysis.net/2026/02/02/i...
