KongTuke, also known as LandUpdate808 or TAG-124, is a sophisticated Traffic Distribution System (TDS) campaign active since at least May 2024. It employs a novel infection vector by injecting malicious scripts into legitimate websites, which display fake CAPTCHA pages with ClickFix-style instructions. These instructions trick users into copying and pasting a PowerShell command into their Windows Run dialog. This command downloads a zip archive containing a Windows Python environment and a malicious Python script. The infection persists by creating scheduled tasks under the user’s AppData\Roaming directory, ensuring execution on system startup or at scheduled intervals. The Python script generates HTTPS traffic to telegra.ph, a legitimate publishing platform, complicating network detection and analysis. The exact functionality of the Python payload remains unknown, but the infection chain demonstrates advanced social engineering, persistence, and evasion techniques. The attack targets Windows clients within Active Directory environments, leveraging user interaction but no initial elevated privileges. Indicators include specific IP addresses and URLs used for initial payload delivery. The campaign is tracked via infosec.exchange Mastodon and URLscan, highlighting its ongoing activity and evolving tactics. The infection’s stealth and use of legitimate infrastructure for command and control traffic underscore its sophistication and potential for further malicious activity.

For European organizations, the KongTuke campaign poses significant risks primarily to Windows-based enterprise environments, especially those using Active Directory. The infection method relies on social engineering to bypass technical controls, increasing the likelihood of successful compromise. Once infected, systems maintain persistence, potentially allowing attackers to deploy additional payloads, conduct data exfiltration, or move laterally within networks. The use of legitimate websites for script injection and legitimate platforms like telegra.ph for command and control traffic complicates detection and response efforts. This can lead to prolonged undetected presence, increasing the risk of data breaches, operational disruption, and reputational damage. Organizations with high user interaction with web content and less mature endpoint detection capabilities are particularly vulnerable. The infection’s ability to hijack clipboard content and trick users into executing commands highlights the importance of user awareness. The unknown final payload means the full impact could range from espionage to ransomware deployment, depending on attacker intent. Overall, the threat could disrupt business operations and compromise sensitive data across European enterprises.

1. Implement advanced web filtering and script-blocking solutions to detect and prevent injection of malicious scripts into legitimate websites. 2. Deploy endpoint detection and response (EDR) tools capable of identifying unusual PowerShell activity and persistence mechanisms such as scheduled tasks in user directories. 3. Conduct targeted user awareness training focusing on the risks of copying and pasting commands from untrusted sources, emphasizing clipboard hijacking tactics. 4. Monitor network traffic for anomalous HTTPS connections to uncommon destinations, including legitimate platforms used for C2 like telegra.ph, using SSL inspection where possible. 5. Regularly audit and harden Active Directory environments to limit lateral movement opportunities post-infection. 6. Employ application whitelisting to restrict execution of unauthorized scripts and binaries, including Python environments deployed outside standard software management processes. 7. Use threat intelligence feeds and URL reputation services to block known malicious IPs and URLs associated with KongTuke. 8. Establish incident response playbooks specific to TDS and social engineering-based infections to enable rapid containment and remediation. 9. Encourage reporting and sharing of indicators of compromise within industry groups and national cybersecurity centers to improve collective defense. 10. Regularly update and patch systems to reduce exposure to exploitation vectors that may be leveraged in follow-on attacks.