Date: 04/10/2025
Severity: High
Summary
The attack chain begins with a malicious script injected into legitimate but compromised websites. This script redirects users to a fake CAPTCHA page designed to mimic a "verify you are human" check. The deceptive CAPTCHA page performs clipboard hijacking—also known as pastejacking—by injecting malicious code into the user's clipboard. This campaign, tracked as #KongTuke by sources like @monitorsg on Mastodon and ThreatFox, shows post-infection traffic patterns resembling Async RAT. However, the final payload remains unidentified, and no sample is currently available.
Indicators of Compromise (IOC) List
Domains \ URLs : | https://lancasternh.com/6t7y.js https://lancasternh.com/js.php?device=windows&ip=[base64 text]&refferer=[base64 text]&browser=[base64 text]&ua=[base64 text]&domain=[base64 text]&loc=[base64 text]&is_ajax=1 ecduutcykpvkbim.top bfidmcjejlilflg.top 8qvihxy8x5nyixj.top api.ipify.org |
IP Address : | 138.199.156.22 185.250.151.155 173.232.146.62 |
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Domains \ URLs : | domainname like "8qvihxy8x5nyixj.top" or url like "8qvihxy8x5nyixj.top" or siteurl like "8qvihxy8x5nyixj.top" or domainname like "https://lancasternh.com/6t7y.js" or url like "https://lancasternh.com/6t7y.js" or siteurl like "https://lancasternh.com/6t7y.js" or domainname like "api.ipify.org" or url like "api.ipify.org" or siteurl like "api.ipify.org" or domainname like "bfidmcjejlilflg.top" or url like "bfidmcjejlilflg.top" or siteurl like "bfidmcjejlilflg.top" or domainname like "https://lancasternh.com/js.php?device=windows&ip=[base64 text]&refferer=[base64 text]&browser=[base64 text]&ua=[base64 text]&domain=[base64 text]&loc=[base64 text]&is_ajax=1" or url like "https://lancasternh.com/js.php?device=windows&ip=[base64 text]&refferer=[base64 text]&browser=[base64 text]&ua=[base64 text]&domain=[base64 text]&loc=[base64 text]&is_ajax=1" or siteurl like "https://lancasternh.com/js.php?device=windows&ip=[base64 text]&refferer=[base64 text]&browser=[base64 text]&ua=[base64 text]&domain=[base64 text]&loc=[base64 text]&is_ajax=1" or domainname like "ecduutcykpvkbim.top" or url like "ecduutcykpvkbim.top" or siteurl like "ecduutcykpvkbim.top" |
IP Address : | dstipaddress IN ("173.232.146.62","138.199.156.22","185.250.151.155") or srcipaddress IN ("173.232.146.62","138.199.156.22","185.250.151.155") |
Reference:
https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2025-04-04-IOCs-forKongTuke-web-inject-leading-to-fake-CAPTHA-page.txt