Skip to content
Malware family Windows

Kongtuke

KongTuke is a malicious traffic distribution system active since at least 2024 that compromises legitimate WordPress sites and injects JavaScript to redirect visitors into malware delivery chains.

Profile source: Mallory opens in a new tab

Kongtuke

Family profile

KongTuke is a malicious traffic distribution system active since at least 2024 that compromises legitimate WordPress sites and injects JavaScript to redirect visitors into malware delivery chains. It is also tracked under aliases including 404 TDS, Chaya_002, LandUpdate808, TAG-124, and js.kongtuke. Rather than being a single end-stage payload, KongTuke functions as an intermediary delivery framework that profiles victims, routes traffic, and presents social-engineering lures that lead users to execute attacker-supplied commands or retrieve additional malware.

Observed KongTuke activity heavily relies on ClickFix and related paste-and-run techniques, including fake CAPTCHA and FileFix variants. Victims visiting compromised websites are shown verification-style prompts that covertly place commands in the clipboard and instruct the user to paste and run them through Windows interfaces. KongTuke has also been observed using injected scripts on compromised sites to stage multi-step delivery flows involving tokening, gateway logic, clipboard manipulation, and subsequent payload download.

The infrastructure and delivery logic are designed for resilience and evasion. In one documented variant, the malicious JavaScript retrieved command-and-control configuration dynamically from a Polygon blockchain smart contract instead of hardcoding infrastructure, enabling rapid backend rotation and complicating static detection. KongTuke has been associated with fake Cloudflare-style verification pages and other browser-verification lures intended to make the interaction appear legitimate.

KongTuke has been linked to delivery of multiple downstream malware families, including MintsLoader, WARMCOOKIE, D3F@ck Loader, Mocha Manakin, Node.js backdoors, remote-access tooling, and ransomware such as Rhysida and Interlock. Reported follow-on payload behavior has included host profiling, remote access, tunneling through SOCKS5 proxies, scheduled-task persistence, and staged archive delivery. KongTuke delivery chains have also overlapped with activity involving GREYVIBE, and some reporting attributes the broader TDS activity to clusters tracked as TAG-124.

The malware primarily targets Windows users through browser-based social engineering delivered from compromised WordPress sites. Its role in the intrusion lifecycle is initial access and payload delivery, with strong emphasis on defense evasion through dynamic infrastructure, compromised legitimate websites, and user-assisted execution.

Capabilities

  • Defense Evasion
  • Initial Access
  • Reconnaissance

C2 tracking

Seven-day C2 activity

Derp observations, rolling seven-day window

Observed infrastructure

Last seven days

First activity
Jul 14, 2026
Last activity
Jul 14, 2026
Feed role
C2
Host form
1 IP / 0 hostnames

Leading locations

  • US1

Leading providers

  • BL Networks1

Infrastructure traits

  • Hosting 1

MITRE ATT&CK

Kongtuke in ATT&CK

5 distinct techniques

Reporting

Research mentioning Kongtuke

Jul 14
Gurucul Threat Research

ClickFix: Exploiting Compromised WordPress Sites with a Polygon-Based C2 Infrastructure | Community Portal | Gurucul

KONGTUKE6

May 29
The Hacker News

New Russian-Linked GREYVIBE Targets Ukraine with AI-Powered Cyberattacks

...and a KongTuke delivery chain between late February and late March 2026 that used ClickFix to distribute the malware.

Apr 21
Infosec

Monitor SG: "Detected #KongTuke infection c…" - Infosec Exchange

Detected #KongTuke infection chain Compromised site --> nitzschi[.]com/file.js (ClickFucker) --> nitzschi[.]com/t (token) --> nitzschi[.]com/g (gateway) --> nitzschi[.]com/c (clipboard) --> 49xb5hoiqsr[.]com/dl/agent.bat (cmd) --> 49xb5hoiqsr[.]com/dl/update.zip (cmd)

Feb 12
Red Canary Threat Report

Malicious Copy and Paste | Red Canary Threat Detection Report

Over the last year, Red Canary has detected adversaries leveraging this technique to deliver a wide range of threats, including but not limited to: ... KongTuke ... KongTuke, a traffic distribution system (TDS) that leverages compromised WordPress sites ... used both the fakeCAPTCHA and the FileFix version of paste and run in 2025.

Nov 20
Red Canary

Intelligence Insights: October 2025

KongTuke is a traffic distribution system, first observed in 2024, that uses compromised WordPress sites to deploy malicious code that may lead to malware families such as Rhysida and Interlock ransomware, D3F@ck Loader, Mocha Manakin, Mintsloader, and WARMCOOKIE.

Oct 8
The Hacker News

Hackers Exploit WordPress Sites to Power Next-Gen ClickFix Phishing Attacks

"...the domain 'porsasystem[.]com' has been flagged as part of a traffic distribution system (TDS) called Kongtuke (aka 404 TDS, Chaya_002, LandUpdate808, and TAG-124)."

Oct 8
Malware Traffic Analysis

2025-10-08 (WEDNESDAY): INFECTION FROM KONGTUKE CAMPAIGN'S CLICKFIX PAGE

HTML of page from compromised site showing the injected Kongtuke script. Fake CAPTCHA page from traffic generated by the injected Kongtuke script. Following instructions from the Kongtuke campaign's fake CAPTCHA page.

May 5
Threatfox Abuse Ch

ThreatFox | KongTuke

Database Entry Malware: KongTuke Malware alias: TAG-124, js.LandUpdate808 First seen: 2025-05-05 15:47:05 UTC Last seen: 2026-05-21 04:59:53 UTC Number of IOCs: 949

We appreciate you

Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. Thank you, we're genuinely grateful.