Malware-Traffic-Analysis.net - 2025-12-11: Kongtuke ClickFix activity uses finger command

2025-12-11 (THURSDAY): KONGTUKE CLICKFIX ACTIVITY USES FINGER COMMAND

ASSOCIATED FILES:

2025-12-11-network-IOCs-for-Kongtuke-ClickFix-activity.txt.zip 1.1 kB (1,118 bytes)
2025-12-11-HTTPS-traffic-for-KongTuke-ClickFix-page.zip 62.7 kB (62,664 bytes)
2025-12-11-Kongtuke-ClickFix-activity-part-1-finding-ClickFix-page-and-running-ClickFix-script-on-a-VM.pcap.zip 2.6 MB (2,637,332 bytes)
2025-12-11-Kongtuke-ClickFix-activity-part-2-running-ClickFix-script-on-a-physical-host.pcap.zip 221.7 MB (221,668,825 bytes)
2025-12-11-files-from-Kongtuke-ClickFix-activity.zip 221.7 MB (221,745,417 bytes)

NOTES:

I got a full infection when I ran the ClickFix script on a physical host. It didn't work on the VM.
This is activity I originally recorded for a SANS ISC diary I wrote at https://isc.sans.edu/diary/ClickFix+Attacks+Still+Using+the+Finger/32566/

Click here to return to the main page.