Lmst
Login

#Kongtuke

Monitor SGmonitorsg@infosec.exchange
2025-11-07

Detected #KongTuke infection chain

Compromised site
-->
virtvan[.]com/1w2w.js
-->
virtvan[.]com/js.php (ClickFix)
-->
hXXp://206[.]166.251.184:6655/on (BAT)

Monitor SGmonitorsg@infosec.exchange
2025-11-06

Detected #KongTuke infection chain

Compromised site
-->
saeam[.]com/6w9h.js
-->
saeam[.]com/js.php (ClickFix)
-->
hXXp://168[.]100.11.73:6655/frt44 (BAT)

Monitor SGmonitorsg@infosec.exchange
2025-11-06

Detected #KongTuke infection chain

Compromised site
-->
dolmain[.]com/5w8h.js
-->
dolmain[.]com/js.php (ClickFix)
-->
hXXp://168[.]100.11.73:6655/frt44 (BAT)

Monitor SGmonitorsg@infosec.exchange
2025-11-06

Detected #KongTuke infection chain

Compromised site
-->
edentista[.]com/5g7o.js
-->
edentista[.]com/js.php (ClickFix)
-->
hXXp://168[.]100.11.73:6655/frt44 (BAT)

Monitor SGmonitorsg@infosec.exchange
2025-11-05

Detected #KongTuke infection chain

Compromised site
-->
imf1[.]com/9h0y.js
-->
imf1[.]com/js.php (ClickFix)
-->
hXXp://72[.]5.43.147:7777/frt44 (BAT)

Monitor SGmonitorsg@infosec.exchange
2025-11-05

Detected #KongTuke infection chain

Compromised site
-->
imf1[.]com/9h0y.js
-->
imf1[.]com/js.php (ClickFix)
-->
hXXp://72[.]5.43.147:7777/frt44 (BAT)
-->
hXXp://72[.]5.43.147:7777/2nd (Powershell)

553b1172f2586c3d4751d7ff411cc6f59551fe9eca471306e171c9985a94f29e frt44

Monitor SGmonitorsg@infosec.exchange
2025-11-04

Detected #KongTuke infection chain

Compromised site
-->
graffetti[.]com/7h5f.js
-->
graffetti[.]com/js.php (ClickFix)
-->
hXXp://72[.]5.43.147:7777/codebase5533 (BAT)

Monitor SGmonitorsg@infosec.exchange
2025-11-04

Detected #KongTuke infection chain

Compromised site
-->
graffetti[.]com/7h5f.js
-->
graffetti[.]com/js.php (ClickFix)
-->
hXXp://72[.]5.43.147:7777/codebase5533 (BAT)
-->
hXXp://72[.]5.43.147:7777/test6633 (Powershell)

92fea18ddd79fd92aa50d8d240f8f86729692f80df490ec4bf46652fd3051755 codebase5533

Monitor SGmonitorsg@infosec.exchange
2025-11-03

Detected #KongTuke infection chain

Compromised site
-->
graffetti[.]com/6s9s.js
-->
graffetti[.]com/js.php (ClickFix)
-->
hXXp://72[.]5.43.147:7777/codebase5533 (BAT)
-->
hXXp://72[.]5.43.147:7777/test6633 (Powershell)

d1ec03ee9e5e8abb91612d33e0658969ccca25b5e068a16cb1f2fe9b21801277 codebase5533

Monitor SGmonitorsg@infosec.exchange
2025-10-31

Detected #KongTuke infection chain

Compromised site
-->
guiasexo[.]com/4r6h.js
-->
guiasexo[.]com/js.php (ClickFix)
-->
hXXp://162[.]252.198.162:7777/codebase5533 (BAT)
-->
hXXp://162[.]252.198.162:7777/test6633 (Powershell)

07295b78c83edcd3fa3706543e5d7347c5571bfb7f096f5e43f43dd28a0ec2d5 codebase5533

Monitor SGmonitorsg@infosec.exchange
2025-10-29

Detected #KongTuke infection chain

Compromised site
-->
varorg[.]com/5f3e.js
-->
varorg[.]com/js.php (ClickFix)
-->
hXXp://162[.]252.198.162:7777/codebase5533 (BAT)
-->
hXXp://162[.]252.198.162:7777/test6633 (Powershell)

07295b78c83edcd3fa3706543e5d7347c5571bfb7f096f5e43f43dd28a0ec2d5 codebase5533

Monitor SGmonitorsg@infosec.exchange
2025-10-28

Detected #KongTuke infection chain

Compromised site
-->
rodriggez[.]com/5h7h.js
-->
rodriggez[.]com/js.php (ClickFix)
-->
hXXp://162[.]252.198.162:7777/codebase5533 (BAT)
-->
hXXp://162[.]252.198.162:7777/test6633 (Powershell)

44f9ac0daabee65815ed6ee089282c49aa338bcb9f63b0923191da84af0ab691 codebase5533

Monitor SGmonitorsg@infosec.exchange
2025-10-28

Detected #KongTuke infection chain

Compromised site
-->
rodriggez[.]com/5h7h.js
-->
rodriggez[.]com/js.php (ClickFix)
-->
hXXp://162[.]252.198.162:7777/codebase5533 (BAT)

Monitor SGmonitorsg@infosec.exchange
2025-10-28

Detected #KongTuke infection chain

Compromised site
-->
hlherb[.]com/6h8d.js
-->
hlherb[.]com/js.php (ClickFix)
-->
hXXp://162[.]252.198.162:7777/codebase5533 (BAT)

Monitor SGmonitorsg@infosec.exchange
2025-10-27

Detected #KongTuke infection chain

Compromised site
-->
sessomania[.]com/7y5g.js
-->
sessomania[.]com/js.php (ClickFix)
-->
hXXp://162[.]252.198.162:7777/codebase5533 (BAT)

Monitor SGmonitorsg@infosec.exchange
2025-10-27

Detected #KongTuke infection chain

Compromised site
-->
sessomania[.]com/7y5g.js
-->
sessomania[.]com/js.php (ClickFix)
-->
hXXp://144[.]31.221.146:7777/codebase5533 (BAT)

Monitor SGmonitorsg@infosec.exchange
2025-10-16

Detected #KongTuke infection chain

Compromised site
-->
pcdcinc[.]com/6n7n.js
-->
pcdcinc[.]com/js.php (ClickFix)
-->
hXXp://144[.]31.221.84:5555/code777 (BAT)

Monitor SGmonitorsg@infosec.exchange
2025-10-14

Detected #KongTuke infection chain

Compromised site
-->
prixmatech[.]com/5r7h.js
-->
prixmatech[.]com/js.php (ClickFix)
-->
hXXp://144[.]31.221.84:5555/code777 (BAT)

Monitor SGmonitorsg@infosec.exchange
2025-10-09

Detected #KongTuke infection chain

Compromised site
-->
mlampell[.]com/5f8p.js
-->
mlampell[.]com/js.php (ClickFix)
-->
hXXp://144[.]31.221.133:5555/code777 (BAT)

Bradmalware_traffic@infosec.exchange
2025-10-09

2025-10-08 (Wednesday): #Kongtuke campaign fake CAPTCHA page with #ClickFix instructions.

I got a full infection chain this time!

During this infection I saw a 205MB zip download, which makes the #pcap take a while to load in Wireshark.

Some IOCs with the associated #malware and artifacts are available at malware-traffic-analysis.net/2

Traffic from the infection filtered in Wireshark.Page from a compromised site with injected Kongtuke script.Fake CAPTCHA page, courtesy of the Kongtuke campaign.Following instructions from the Kongtuke campaign's fake CAPTCHA page.

Client Info

Server: https://mastodon.social
Version: 2025.07
Repository: https://github.com/cyevgeniy/lmst