~Trendmicro~
KongTuke abuses compromised WordPress sites with fake CAPTCHA lures to deliver modeloRAT via PowerShell.
-
IOCs: 45. 61. 138. 224, 158. 247. 252. 178, foodgefy. com
-
#KongTuke #ThreatIntel #modeloRAT
#Kongtuke
hxxps://sismebtp/.com/6d4f.js
Compromised website > #KongTuke > #ClickFix:
Date Observed: 2026-01-23
IOCs:
hxxps://jaskolkki[.]com/7h9v[.]js
confirm[@]195[.]85[.]114[.]118:79
hxxp://195[.]85[.]114[.]118/b
Compromised website > #KongTuke > #ClickFix:
Date Observed: 2026-01-22
IOCs:
hxxps://deeesik[.]com/5a6n[.]js
confirm[@]195[.]85[.]114[.]118:79
hxxp://195[.]85[.]114[.]118/b
Compromised website > #KongTuke > #ClickFix:
Date Observed: 2026-01-21
IOCs:
hxxps://winnheiser[.]com/5f3s[.]js
verify[@]149[.]248[.]78[.]114:79
hxxp://149[.]248[.]78[.]114/b
Compromised website > #KongTuke > #ClickFix:
Date Observed: 2026-01-20
IOCs:
hxxps://wilknnson[.]com/6j6s[.]js
confirm[@]45[.]61[.]138[.]224:79
hxxp://45[.]61[.]138[.]224/b
Compromised website > #KongTuke > #ClickFix:
Date Observed: 2026-01-16
IOCs:
hxxps://oconneln[.]com/6b5f[.]js
confirm[@]199[.]217[.]98[.]108:79
hxxp://199[.]217[.]98[.]108/b
Compromised website > #KongTuke > #ClickFix:
Date Observed: 2026-01-14
IOCs:
hxxps://bechtellr[.]com/6o9p[.]js
confirm[@]69[.]67[.]173[.]30:79
hxxp://69[.]67[.]173[.]30/b
Compromised website > #KongTuke > #ClickFix:
Date Observed: 2026-01-13
IOCs:
hxxps://remaxbemidji[.]com/6h7s[.]js
confirm[@]144[.]31[.]221[.]197:79
hxxp://144[.]31[.]221[.]197/b
Compromised website > #KongTuke > #ClickFix:
Date Observed: 2026-01-12
IOCs:
hxxps://leprixnet[.]com/3s5f[.]js
hxxp://144[.]31[.]221[.]132/a
hxxp://144[.]31[.]221[.]132/b
Fake "Verify You Are Human" CAPTCHA page that can appear when viewing a page from a legitimate but compromised website.
Text from KongTuke's fake CAPTCHA page injected into the viewer's clipboard, and the CAPTCHA page contains instructions to run the text as a command in Window's Run window.
Traffic from the KongTuke activity and resulting infection filtered in Wireshark.
Reposted with correct malware names:
2026-02-02 (Monday) #KongTuke #ClickFix activity leads to #MintsLoader and #GhostWeaver RAT
Today's ClickFix uses the "finger" command, a tactic seen in previous ClickFix activity.
Further details available at www.malware-traffic-analysis.net/2026/02/02/i...
#kongtuke
Hxxp://jenmartini/.com/6b7n.js
#kongtuke
Hxxps://reberts/.com/6h3d.js
Hxxps://reberts/.com/js.php
Compromised website > #KongTuke > #ClickFix:
Date Observed: 2026-01-08
IOCs:
hxxps://frttsch[.]com/2w2w[.]js
hxxp://144[.]31[.]221[.]60/a
hxxp://144[.]31[.]221[.]60/b
Compromised website > #KongTuke > #ClickFix:
Date Observed: 2025-12-29
IOCs:
hxxps://metavrze[.]com/5h5h[.]js
hxxp://144[.]31[.]221[.]150/a
hxxp://144[.]31[.]221[.]150/b
Compromised website > #KongTuke > #ClickFix:
Date Observed: 2025-12-23
IOCs:
hxxps://emierich[.]com/2o2o[.]js
hxxp://payload[.]bruemald[.]top
Compromised website > #KongTuke > #ClickFix:
Date Observed: 2025-12-19
IOCs:
hxxps://csmultimedia[.]com/5k5k[.]js
hxxp://64[.]95[.]12[.]232/a
hxxp://64[.]95[.]12[.]232/b
๐ฃ ๐จ #KongTuke hacker group cloned a #Chrome ad blocker to trick users into installing spyware which also launched DoS attacks, crashed browsers, and dropped ModeloRAT.
Read: hackread.com/clickfix-cra...
#CyberSecurity #Malware #ModeloRAT #ClickFix #CrashFix
Compromised website > #KongTuke > #ClickFix:
Date Observed: 2025-12-18
IOCs:
hxxps://mckeczie[.]com/4h4h[.]js
gcaptcha[@]areuhuman[.]top:79
hxxp://k07hf6dakz44rdp[.]com
#kongtuke
Hxxps://remaxbemidji/.com/6h7s.js
Fake CAPTCHA window and ClickFix script after visiting legitimate, but compromised website.
Traffic from the infection filtered in Wireshark (part 1 of 2).
Traffic from the infection filtered in Wireshark (part 2 of 2).
Screenshot from the start of the page for this blog post.
2026-01-08 (Thursday): Got a full infection from #KongTuke campaign #ClickFix activity today. Traffic from the infection in two #pcap files, the associated malware, artifacts, and further information is available at www.malware-traffic-analysis.net/2026/01/08/i...
Injected KongTuke script in page from compromised website.
![Fake CAPTCHA page from KongTuke domain, scrroeder[.]com.](https://cdn.bsky.app/img/feed_thumbnail/plain/did:plc:v3kgm6hujff4gbxies5vwbnb/bafkreielwil5fxjm3tv2gkrdwcv4airp2xlmojctkj7wjgyzh7ogo7bfzu)
Fake CAPTCHA page from KongTuke domain, scrroeder[.]com.
KongTuke's "ClickFix" command injected into the viewer's clipboard.
Traffic from the activity filtered in Wireshark. I did not get the malware from this.
2026-01-05 (Monday): #KongTuke domain scrroeder[.]com generated #ClickFix script for 144.31.221[.]71, but I didn't get a malware infection when I tried it today.
#kongtuke
Hxxps://emierich/.com2o2o.js
Screenshot of the post with the pcaps, files, and other info from the Kongtuke ClickFix activity using the finger command on 2025-12-11.
I finished compiling the information for #Kongtuke #ClickFix activity using the finger command on 2025-12-11, and it's now live at www.malware-traffic-analysis.net/2025/12/11/i...
I'd already posted the #SmartApeSG ClickFix activity using finger that same day, so now both are available.
Compromised website > #KongTuke > #ClickFix:
Date Observed: 2025-12-17
IOCs:
hxxps://leprixnet[.]com/3s3s[.]js
hxxp://193[.]149[.]187[.]146/a
Compromised website > #KongTuke > #ClickFix:
Date Observed: 2025-12-16
IOCs:
hxxps://ibuyline[.]com/2d2d[.]js
hxxp://193[.]149[.]190[.]117/a
Compromised website > #KongTuke > #ClickFix:
Date Observed: 2025-12-15
IOCs:
hxxps://fsglobe[.]com/1e1e[.]js
hxxp://193[.]149[.]190[.]117/a
Compromised website > #KongTuke > #ClickFix:
Date Observed: 2025-12-12
IOCs:
hxxps://gozamba[.]com/2q2q[.]js
gcaptcha[@]checkhuman[.]top:79
