KongTuke: A King Among Threat Groups
This blog is the latest in a series that delves into the deep research conducted daily by the LevelBlue SpiderLabs team on major threat actor groups currently operating globally. It is an overview of the findings.
KongTuke was first identified by researchers at Group-IB in the May 2024 timeframe. The group has a multi-layered infrastructure that is connected to a Traffic Distribution System (TDS). KongTuke’s activity overlaps with several known threat activity clusters, including LandUpdate808, TAG-124, and Chaya_002.
KongTuke, however, is not a stand-alone organization and is classified as a sub-group of the “FAKEUPDATES” malware ecosystem. Other variants in this category include Clear Fake and Smart Ape, with SocGholish and ClickFix identified as the most widespread and well-established variants within this category.
The KongTuke alias is derived from one of the domain names observed hosting malicious FAKEUPDATES JavaScript payloads.
This variant consistently leverages the URL endpoints “/land.php” and “/update.php” within the malware’s source code. These infrastructures have inspired the LandUpdate808 codename, where “808” serves as an internal naming convention to indicate the origin of tracking and analyst attribution.
Targets and Areas of Operation
KongTuke does not limit its target list to any specific regions or nationalities. Instead, it operates a large and continuously expanding network of compromised WordPress websites.
While infection activity appears primarily opportunistic, a significant number of affected sites are located in high-traffic domains across multiple industry sectors. This broad exposure substantially increases the potential scale and effectiveness of malware distribution.
Although no clear geographic targeting has been identified, several notable cases indicate the compromise of domains associated with high-profile organizations. These include the Polish Centre for Testing and Certification, the Economic Community of West African States, and a U.S.-based defense manufacturing holding company.
KongTuke’s Methodology
KongTuke infections originate from compromised WordPress websites that victims may encounter through multiple vectors, including links shared on social media platforms or inadvertent navigation via search engine results. So, naturally, the group’s first step is to compromise and inject malicious JavaScript into a WordPress website.
At this point, KongTuke’s exact initial access vector for compromising WordPress websites remains unclear; two primary hypotheses stand out.
First, the majority of affected sites are running relatively recent WordPress versions, commonly version 6.7.2, with some on 6.7.1 or 6.6.2, but the exploitation of vulnerable or misconfigured third-party plugins may have provided an entry point.
Second, the group may obtain access through stolen or purchased valid credentials. This assessment is supported by the presence of WordPress administrator credentials associated with several impacted sites, many of which appear in datasets linked to infostealer malware families such as Atomic Stealer and Vidar. These infostealers are known to harvest credentials from both employees and customers, enabling downstream abuse by multiple threat actors.
Finally, it remains plausible that KongTuke directly conducts phishing campaigns to harvest WordPress administrator credentials, further expanding its access to vulnerable environments.
Dedicated to hunting and eradicating the world's most challenging threats.
Traffic Distribution System (TDS)
In recent years, cybercriminals have exploited Traffic Distribution System (TDS) platforms to selectively redirect targeted users to unwanted destinations such as phishing pages and malware payloads.
In KongTuke’s campaign, compromised WordPress websites are used to serve an obfuscated JavaScript file containing multiple functions designed to implement TDS logic, including visitor state tracking and victim fingerprinting.
The script gathers multiple system and network information, including the operating system, IP address, current URL (referrer), browser type, user-agent string, and IP-based geolocation. The collected information is encoded using Base64. As part of the victim profiling process, it queries Cloudflare Trace to obtain additional network and system metadata, such as the visitor’s public IP address and geographic location. The threat actors consistently misspell the query parameter ‘referer’ as ‘refferer’. Then, the collected information is transmitted to the command-and-control (C2) server via ‘.php’ endpoint.
If the collected data meets a specific set of conditions, the C2 server triggers the next stage of the infection chain.
Post Access Actions
The action starts when a user visits an infected site. At this time, the script covertly loads attacker-controlled resources designed to socially engineer the victim into taking specific actions that result in malware delivery and execution.
The social engineering aspect of the attack is well thought out. KongTuke often masquerades this activity as a legitimate Google Chrome update, deceiving users into installing the malicious payload under the pretense of a routine browser update.
Then, in early 2025, KongTuke switched to the ClickFix platform. In this approach, it displays a deceptive dialog box instructing users to execute a command that has been preloaded into their clipboard. Upon execution, the command initiates a multi-stage infection chain that culminates in the download and execution of the various types of payloads. KongTuke websites have been observed leveraging multiple ClickFix variations, including FakeCAPTCHA, FileFix, and CrashFix.
Several threat actors are assessed to have incorporated KongTuke services into their initial access operations, including TA582, Interlock ransomware, SocGholish, NodeSnake, TA866/Asylum Ambuscade, D3F@CK Loader, Rhysida ransomware, and other clusters.
Persistence and Exfiltration
The malware achieves persistence by extracting command-line scripts and saving them as inconspicuous files (e.g., .cfg, .pyw). It creates registry keys mimicking legitimate services like "ChromeUpdater" or appends random numbers to harvested folder names (e.g., Spotify47) to blend into system artifacts.
Data is exfiltrated via a custom scheme: it is XOR-encrypted with a random 4-byte key, concatenated with encryption keys, Gzip-compressed, and finalized with a zlib checksum. The malware then awaits C2 instructions.
Breaking Down KongTuke
KongTuke’s infrastructure consists of multiple interconnected components that collectively support its cybercrime operations. The primary elements observed within the broader KongTuke infrastructure include the following:
-
A Central Server: The majority of KongTuke’s first-stage delivery servers have been observed communicating with a centralized backend over TCP port 443. This server is believed to host the core logic of the traffic distribution system (TDS), which evaluates victim characteristics and determines whether conditions are met to trigger malware payload delivery.
-
Ads Panels: These panels are used to distribute the active delivery server URLs, which are served as Base64-encoded strings via designated endpoints. This mechanism enables dynamic redirection and rapid rotation of first-stage infrastructure.
-
Management Server: A suspected management server associated with KongTuke operations. This server has been observed interacting with both the Ads Panels and infrastructure hosting websites, impersonating legitimate WordPress hosting providers, suggesting a coordination role across delivery and deception components.
-
Management Panel: Believed to function as the primary administrative interface, this panel likely controls multiple components of the TAG-124 infrastructure, including the Central Server, Ads Panels, and first-stage payload servers, primarily through SSH-based management and orchestration.
Please take a look at other SpiderLabs threat group deep dive reports:
ABOUT LEVELBLUE
LevelBlue is a globally recognized cybersecurity leader that reduces cyber risk and fortifies organizations against disruptive and damaging cyber threats. Our comprehensive offensive and defensive cybersecurity portfolio detects what others cannot, responds with greater speed and effectiveness, optimizes client investment, and improves security resilience. Learn more about us.