2025-09-03 (WEDNESDAY): KONGTUKE CAPTCHA PAGE --> CLICKFIX SCRIPT --> LUMMA STEALER

NOTES:

• Zip files are password-protected.  Of note, this site has a new password scheme.  For the password, see the "about" page of this website.

ASSOCIATED FILES:

• 2025-09-03-IOCS-for-Kongtuke-ClickFix-leading-to-Lumma-Stealer.txt.zip   1.1 kB   (1,061 bytes)
• 2025-09-03-Kongtuke-ClickFix-leading-to-Lumma-Stealer.pcap.zip   31.3 MB   (31,256,105 bytes)
• 2025-09-03-Kongtuke-and-Lumma-Stealer-files.zip   30.0 MB   (26,976,030 bytes)

 

IMAGES

Shown above:  Kongtuke style injected script in page from compromised website.

 

Shown above:  Kongtuke CAPTCHA page and example of ClickFix style script injected into victim's clipboard.

 

Shown above:  Location of downloaded zip archive for Lumma Stealer and the extracted files from an infection.

 

Shown above:  Traffic from an infection filtered in Wireshark.

 

Click here to return to the main page.