s2
--:--:--UTC

Searching APEX

Starting…

  1. Searching Threats, IOCs & Threat Intelligence locally
  2. Querying external providers
  3. Asking AI Forensic Validator
  4. Creating new entry from validated hit

0s elapsed

TF-1833630 high

📛 Threat Title

KongTuke: URL that delivers a malware payload https://henriqueq.xyz/api/v1/status

Category: KongTuke Published: Source updated: First seen: Last updated: Source: Threatfox IOCs/Threats

Description

Indicator that identifies a malware distribution server (payload delivery). IOC type: URL that delivers a malware payload. Attributed malware: KongTuke (aliases: TAG-124,js.LandUpdate808). Confidence: 100. First seen: 2026-06-18 07:22:22 UTC. Last seen: 2026-06-18 02:09:43 UTC. Reporter: monitorsg. Tags: Kongtuke.

Remediations (10)

  • KongTuke Malware Campaign 2025: Fake CAPTCHA Delivers Persistent Python ...
    web:aviatrix.ai

    In November 2025, KongTuke used fake CAPTCHA lures and PowerShell to deploy persistent Python-based malware through compromised sites, evading detection.

  • KongTuke Web Inject for Fake Captcha Page | Community Portal | Gurucul
    web:community.gurucul.com

    The attack chain begins with a malicious script injected into legitimate but compromised websites. This script redirects users to a fake CAPTCHA page designed to mimic a "verify you are human" check. The deceptive CAPTCHA page performs clipboard hijacking—also known as pastejacking—by injecting malicious code into the user's clipboard.

  • "Clipboard Hijacking" A Fake CAPTCHA Steal Clipboard Data Via Hacked Sites
    web:cybersecuritynews.com

    A sophisticated new cyberattack chain dubbed " KongTuke " has been uncovered by cybersecurity researchers, targeting unsuspecting internet users through compromised legitimate websites. Detailed in a report by Bradley Duncan of Palo Alto Networks' Unit 42 team, this attack leverages malicious scripts and fake CAPTCHA pages to hijack victims' clipboards and potentially install ...

  • KongTuke Attacking Windows Users With New Interlock RAT Variant Using ...
    web:cybersecuritynews.com

    A sophisticated malware campaign leveraging the KongTuke threat cluster has emerged, targeting Windows users through a novel FileFix technique that deploys an advanced PHP-based variant of the Interlock remote access trojan (RAT). This represents a significant evolution from previous JavaScript-based implementations, demonstrating increased operational sophistication and resilience. Since May ...

  • Unit42-timely-threat-intel/2025-04-04-IOCs-forKongTuke-web ... - GitHub
    web:github.com

    - This attack chain starts with a malicious line of script injected into legitimate but compromised websites. - The injected script leads to a fake "verify you are human" page (CAPTCHA). - The fake CAPTCHA page injects script into a potential victim's clipboard. - This process is sometimes called ...

  • Intelligence Insights: September 2025 - Red Canary
    web:redcanary.com

    Because KongTuke uses multiple lures and delivers a variety of payloads , these behaviors may appear in different ways, depending on the payload . Attribution to KongTuke can be made via OSINT reporting of compromised domains or by pivoting to analyze the JavaScript references on compromised sites, for example <script async="" src ...

  • Help-Desk Lures Drop KongTuke's Evolved ModeloRAT
    web:reliaquest.com

    Threat actors are impersonating help-desk staff over external Microsoft Teams chats to trick victims into deploying "ModeloRAT" on their own machines. ReliaQuest attributes the activity to financially motivated initial access broker (IAB) " KongTuke " based on reuse of the group's custom Python loader. Previously, KongTuke has compromised WordPress sites to host "ClickFix" and "CrashFix" lures ...

  • KongTuke FileFix Leads to New Interlock RAT Variant
    web:thedfirreport.com

    The DFIR Report researchers have recently seen this same KongTuke web-inject transitioning to a FileFix variant. This updated delivery mechanism has been observed deploying the PHP variant of the Interlock RAT, which in certain cases has then led to the deployment of the Node.js variant of the Interlock RAT.

  • Dissecting CrashFix: KongTuke's New Toy | Huntress
    web:www.huntress.com

    Fake ad blocker crashes your browser, then offers a "fix." Go inside KongTuke's CrashFix campaign, from malicious extension to ModeloRAT for VIP targets.

  • Through the Lens of MDR: Analysis of KongTuke's ClickFix Abuse of ...
    web:www.trendmicro.com

    Our analysis of an active KongTuke campaign deploying modeloRAT — malware capable of reconnaissance, command execution, and persistent access — through compromised WordPress sites and fake CAPTCHA lures shows that the group still operates this delivery chain in parallel with the newer CrashFix technique.

Indicators of Compromise (1)

Each indicator is enriched from the IOC database, threat-intel feed corroboration (Threat Hunt) and VirusTotal. Click one to expand.

url https://henriqueq.xyz/api/v1/status

IOC database

Type
url
Value
https://henriqueq.xyz/api/v1/status
First seen
Last seen
Attached to this threat
Appears in
1 threat
Description
URL that delivers a malware payload attributed to KongTuke

Open the full IOC page →

Threat Hunt — feed corroboration

Not present in any configured threat-intel feed.

Details From VirusTotal

No VirusTotal details cached for this IOC. Open the IOC page to query VirusTotal.

References (3)

  • External reference Threatfox IOCs/Threats
  • Malpedia profile Threatfox IOCs/Threats
  • ThreatFox IOC page Threatfox IOCs/Threats

    Indicator that identifies a malware distribution server (payload delivery). IOC type: URL that delivers a malware payload. Attributed malware: KongTuke (aliases: TAG-124,js.LandUpdate808). Confidence: 100. First seen: 2026-06-18 00:11:08 UTC. Last seen: 2026-06-18 01:09:27 UTC. Reporter: monitorsg. Tags: Kongtuke.

AI Forensic Analysis

Only Available for Registered Users. Sign in to view.