2025-10-08 (WEDNESDAY): INFECTION FROM KONGTUKE CAMPAIGN'S CLICKFIX PAGE

NOTES:

• Zip files are password-protected.  Of note, this site has a new password scheme.  For the password, see the "about" page of this website.

ASSOCIATED FILES:

• 2025-10-08-IOCs-for-Kongtuke-activity.txt.zip   2.2 kB   (2,205 bytes)
• 2025-10-08-browser-cache-files.zip   80.6 kB   (80,642 bytes)
• 2025-10-08-initial-infection-traffic-from-Kongtuke-ClickFix-page.pcap.zip   246.5 MB   (256,480,955 bytes)
• 2025-10-08-traffic-after-rebooting-host.pcap.zip   35.4 MB   (35,364,980 bytes)
• 2025-10-08-files-exported-from-first-pcap.zip   205.6 MB   (205,609,176 bytes)
• 2025-10-08-files-found-under-AppData-directory.zip   222.3 MB   (222,303,224 bytes)
• 2025-10-08-scheduled-tasks.zip   4.7 kB   (4,680 bytes)

 

IMAGES

Shown above:  Traffic from the infection filtered in Wireshark.

 

Shown above:  HTML of page from compromised site showing the injected Kongtuke script.

 

Shown above:  Fake CAPTCHA page from traffic generated by the injected Kongtuke script.

 

Shown above:  Following instructions from the Kongtuke campaign's fake CAPTCHA page.

 

Click here to return to the main page.