Last seven days
- First activity
- Jul 14, 2026
- Last activity
- Jul 14, 2026
- Feed role
- C2
- Host form
- 1 IP / 0 hostnames
KongTuke is a malicious traffic distribution system active since at least 2024 that compromises legitimate WordPress sites and injects JavaScript to redirect visitors into malware delivery chains.
Profile source: Mallory opens in a new tabKongtuke
KongTuke is a malicious traffic distribution system active since at least 2024 that compromises legitimate WordPress sites and injects JavaScript to redirect visitors into malware delivery chains. It is also tracked under aliases including 404 TDS, Chaya_002, LandUpdate808, TAG-124, and js.kongtuke. Rather than being a single end-stage payload, KongTuke functions as an intermediary delivery framework that profiles victims, routes traffic, and presents social-engineering lures that lead users to execute attacker-supplied commands or retrieve additional malware.
Observed KongTuke activity heavily relies on ClickFix and related paste-and-run techniques, including fake CAPTCHA and FileFix variants. Victims visiting compromised websites are shown verification-style prompts that covertly place commands in the clipboard and instruct the user to paste and run them through Windows interfaces. KongTuke has also been observed using injected scripts on compromised sites to stage multi-step delivery flows involving tokening, gateway logic, clipboard manipulation, and subsequent payload download.
The infrastructure and delivery logic are designed for resilience and evasion. In one documented variant, the malicious JavaScript retrieved command-and-control configuration dynamically from a Polygon blockchain smart contract instead of hardcoding infrastructure, enabling rapid backend rotation and complicating static detection. KongTuke has been associated with fake Cloudflare-style verification pages and other browser-verification lures intended to make the interaction appear legitimate.
KongTuke has been linked to delivery of multiple downstream malware families, including MintsLoader, WARMCOOKIE, D3F@ck Loader, Mocha Manakin, Node.js backdoors, remote-access tooling, and ransomware such as Rhysida and Interlock. Reported follow-on payload behavior has included host profiling, remote access, tunneling through SOCKS5 proxies, scheduled-task persistence, and staged archive delivery. KongTuke delivery chains have also overlapped with activity involving GREYVIBE, and some reporting attributes the broader TDS activity to clusters tracked as TAG-124.
The malware primarily targets Windows users through browser-based social engineering delivered from compromised WordPress sites. Its role in the intrusion lifecycle is initial access and payload delivery, with strong emphasis on defense evasion through dynamic infrastructure, compromised legitimate websites, and user-assisted execution.
C2 tracking
Derp observations, rolling seven-day window
MITRE ATT&CK
Reporting
KONGTUKE6
...and a KongTuke delivery chain between late February and late March 2026 that used ClickFix to distribute the malware.
Detected #KongTuke infection chain Compromised site --> nitzschi[.]com/file.js (ClickFucker) --> nitzschi[.]com/t (token) --> nitzschi[.]com/g (gateway) --> nitzschi[.]com/c (clipboard) --> 49xb5hoiqsr[.]com/dl/agent.bat (cmd) --> 49xb5hoiqsr[.]com/dl/update.zip (cmd)
Over the last year, Red Canary has detected adversaries leveraging this technique to deliver a wide range of threats, including but not limited to: ... KongTuke ... KongTuke, a traffic distribution system (TDS) that leverages compromised WordPress sites ... used both the fakeCAPTCHA and the FileFix version of paste and run in 2025.
KongTuke is a traffic distribution system, first observed in 2024, that uses compromised WordPress sites to deploy malicious code that may lead to malware families such as Rhysida and Interlock ransomware, D3F@ck Loader, Mocha Manakin, Mintsloader, and WARMCOOKIE.
"...the domain 'porsasystem[.]com' has been flagged as part of a traffic distribution system (TDS) called Kongtuke (aka 404 TDS, Chaya_002, LandUpdate808, and TAG-124)."
HTML of page from compromised site showing the injected Kongtuke script. Fake CAPTCHA page from traffic generated by the injected Kongtuke script. Following instructions from the Kongtuke campaign's fake CAPTCHA page.
Database Entry Malware: KongTuke Malware alias: TAG-124, js.LandUpdate808 First seen: 2025-05-05 15:47:05 UTC Last seen: 2026-05-21 04:59:53 UTC Number of IOCs: 949
Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. Thank you, we're genuinely grateful.