The KongTuke campaign, also tracked under various aliases such as 404 TDS and TAG-124, employs a malicious Google Chrome extension named CrashFix, which impersonates a legitimate ad blocker (a near-identical clone of uBlock Origin Lite). This extension was distributed via the official Chrome Web Store and downloaded over 5,000 times before removal. CrashFix deliberately crashes the browser by executing a denial-of-service attack through an infinite loop that exhausts system resources, causing the browser to become unresponsive. It then displays fake security warnings prompting users to run a Windows Run dialog command, which triggers further malicious activity. The extension transmits a unique identifier to a command-and-control server, enabling victim tracking. After a delay of 60 minutes post-installation, the malicious payload activates every 10 minutes, creating a persistent infection loop that re-triggers upon browser restart. Anti-analysis measures disable right-click and developer tools to hinder investigation. The attack chain uses the legitimate Windows utility finger.exe to fetch a PowerShell payload from attacker-controlled servers. This payload employs multiple layers of Base64 encoding and XOR obfuscation and performs environment checks to evade sandbox and virtual machine analysis. It also determines if the host is domain-joined or standalone and reports installed antivirus products. For domain-joined machines, the campaign deploys ModeloRAT, a Python-based RAT that uses RC4 encryption for C2 communications, establishes persistence via Windows Registry, and supports execution of binaries, DLLs, scripts, and PowerShell commands. ModeloRAT features adaptive beaconing intervals to avoid detection and can self-update or terminate on command. Standalone machines receive a test payload, indicating ongoing development. The campaign targets corporate environments to facilitate deeper access and potentially hand off compromised hosts to ransomware groups such as Rhysida and Interlock. The social engineering tactic exploits user frustration with browser crashes to induce execution of arbitrary commands, making it a sophisticated escalation of the earlier ClickFix technique.

European organizations face significant risks from this campaign due to the widespread use of Google Chrome and Windows domain-joined environments in corporate networks. The installation of ModeloRAT on domain-joined machines compromises confidentiality by enabling attackers to exfiltrate sensitive data and execute arbitrary commands, potentially leading to lateral movement and further network compromise. The persistent denial-of-service attack on browsers disrupts availability and productivity, while the RAT’s stealthy communication and anti-analysis features complicate detection and incident response. The campaign’s ability to profile victims and hand off access to ransomware groups increases the likelihood of severe financial and reputational damage. Additionally, the social engineering component exploits user trust and can bypass traditional technical controls if users are not adequately trained. The multi-stage infection chain and use of legitimate tools like finger.exe complicate attribution and mitigation efforts. Overall, the threat could lead to prolonged breaches, data loss, operational disruption, and increased ransomware exposure for European enterprises.

1. Enforce strict policies on browser extension installation, limiting users to vetted and necessary extensions only, and regularly audit installed extensions for anomalies. 2. Deploy endpoint detection and response (EDR) solutions capable of identifying unusual PowerShell activity, finger.exe misuse, and persistent RAT behaviors, including registry persistence and encrypted C2 communications. 3. Educate users on social engineering tactics, emphasizing skepticism toward unexpected security warnings and discouraging execution of commands from untrusted sources. 4. Implement network monitoring to detect suspicious outbound traffic to known malicious IPs and domains associated with KongTuke infrastructure, including nexsnield[.]com and the RAT C2 servers. 5. Use application whitelisting to prevent unauthorized execution of scripts and utilities like finger.exe in non-standard contexts. 6. Regularly update and patch browsers and operating systems to reduce attack surface and disable legacy or unnecessary features that could be abused. 7. Employ multi-factor authentication and network segmentation to limit the impact of compromised domain-joined machines. 8. Conduct threat hunting exercises focusing on indicators of compromise related to this campaign, such as repeated browser crashes, unusual clipboard activity, and persistent pop-ups. 9. Collaborate with threat intelligence providers to stay updated on evolving TTPs and IoCs related to KongTuke and ModeloRAT.