Introduction<\/strong><\/em><\/p>\n Today’s diary is an example of KongTuke activity using fake CAPTCHA pages for a ClickFix<\/a>-style lure.<\/p>\n Also known as LandUpdate808 or TAG-124 and described as a sophisticated TDS system<\/a>, KongTuke has been active since at least May 2024.\u00a0 I keep track of this campaign through the infosec.exchange<\/a> Mastodon instance, which is mostly information from the @monitorsg<\/a> profile.<\/p>\n With URLscan<\/a>, I can pivot on the information from Mastodon to find compromised sites and generate infection traffic in my lab.<\/p>\n On Monday, 2025-11-17, I found an example of a legitimate website with a KongTuke-injected script, and I generated some infection traffic.<\/p>\n Details<\/strong><\/em><\/p>\n The image below shows an example of the fake CAPTCHA page and ClickFix style instructions.<\/p>\n The CAPTCHA page hijacks the clipboard, injecting text for a malicious command to download and run PowerShell script. Potential victims would read the instructions and paste this command into Run window.<\/p>\n I tried this on a vulnerable Windows client in an Active Directory (AD) environment, and it ran PowerShell script that retrieved a zip archive containing a malicious Python script, as well as the Windows Python environment to run it.<\/p>\n The malicious Python script generated HTTPS traffic to telegra[.]ph<\/span>, but I was unable to determine the URL or content of the traffic.<\/p>\n Post-Infection Forensics<\/strong><\/em><\/p>\n The malicious Python package was saved to the Windows client under the user account’s AppDataRoaming<\/span> directory under a folder named DATA<\/span>. A scheduled task kept the infection persistent.<\/p>\n![\"\"](\"https:\/\/i0.wp.com\/isc.sans.edu\/diaryimages\/images\/2025-11-18-ISC-diary-image-01.png?ssl=1\")
<\/a>
\nShown above: Fake CAPTCHA page from a legitimate site with KongTuke-injected script, with the ClickFix style instructions and malicious command.<\/em><\/p>\n![\"\"](\"https:\/\/i0.wp.com\/isc.sans.edu\/diaryimages\/images\/2025-11-18-ISC-diary-image-02.png?ssl=1\")
<\/a>
\nShown above: Traffic from the infection, filtered in Wireshark.<\/em><\/p>\n![\"\"](\"https:\/\/i0.wp.com\/isc.sans.edu\/diaryimages\/images\/2025-11-18-ISC-diary-image-03.png?ssl=1\")
<\/a>
\nShown above: Initial PowerShell script retrieved by the ClickFix command that was pasted into the Run window.<\/em><\/p>\n![\"\"](\"https:\/\/i0.wp.com\/isc.sans.edu\/diaryimages\/images\/2025-11-18-ISC-diary-image-04.png?ssl=1\")
<\/a>
\nShown above: Final HTTP request from the initial infection traffic returned a zip archive containing a Python environment and a malicious Python script.<\/em><\/p>\n
![\"\"](\"https:\/\/i0.wp.com\/isc.sans.edu\/diaryimages\/images\/2025-11-18-ISC-diary-image-05.png?ssl=1\")
<\/a>