Threat Profile: KongTuke, ClickFix, and Havoc Campaign

PacketWatch's Team Sixty43 profiles a threat involving the toxic trio KongTuke, ClickFix, and Havoc,  complete with tactics, techniques, and procedures.

A Toxic Trio

PacketWatch’s Team Sixty43 has seen an uptick in attacks originating from infrastructure tied to KongTuke. Based on our findings, we are seeing KongTuke using its infrastructure to trick users into executing malicious code through ClickFix lures, which leads to Havoc C2 infecting the victim's machines.

Figure 01: PacketWatch Threat Intelligence proactively detecting KongTuke infrastructure

Meet the Gang

Before we continue, we should go over the key components of this toxic trio, as sometimes they are misconstrued for one another.

KongTuke is a malicious Traffic Distribution System. The purpose of a TDS is to redirect visitors to specific webpages. It analyzes the visitor's data, like geolocation and user agents, and uses that data to redirect to the appropriate webpage. In this case, KongTuke, also known as LandUpdate808 and TAG-124, compromises vulnerable WordPress sites and injects malicious JavaScript code into them. This code redirects unsuspecting visitors to ClickFix sites. The exact exploit or method of how KongTuke is compromising these sites is unknown, but many of them have exposed xmlrpc.php endpoints and outdated plugins, making it trivial for any actor to compromise. 

ClickFix is an annoyingly persistent social engineering technique that has gained popularity since 2024 by 517%. There are many variations of this technique, from displaying fake error codes, system alerts, CAPTCHA, and even fake BSOD warnings. The thing that remains consistent is the sense of urgency and panic, tricking the user into following a series of very simple copy-and-paste instructions.  While the warnings may show that they are only copying an error code, when pasted into PowerShell or Run Prompt contains malicious code that will grab a malicious payload and execute it on the victim's machine. These payloads vary from malicious browser extensions to infostealers to Cobalt Strike beacons.

Havoc C2 is an open-source command-and-control framework comparable to Cobalt Strike. It is designed to be very malleable and modular, allowing the operator to configure it per their needs. Developed by C5pider, it is a powerful C2 framework used by both advanced red team operators and common criminal actors. Havoc implants are called “demons”, similar to Cobalt Strike’s “beacons”. 

Figure 02: Havoc C2’s GitHub page

Attack Flow

While many security vendors have reported on KongTuke and ClickFix, we have seen new TTPs emerging from this unholy union.

Team Sixty43 recently responded to a massive increase in attacks originating from compromised WordPress sites. Upon further analysis of these poisoned sites, we identified JavaScript code that lines up with intelligence on KongTuke:

• <script data-cfasync="false" async="" (hey Cloudflare, don’t mess with the loading of my script and execute it on site)
• File.js (fingerprints and evaluates if the visitor is a worthwhile target and then loads the ClickFix/FakeCaptcha page) 

Figure 03: Malicious JavaScript code loading the KongTuke script

Figure 04: The malicious KongTuke script as seen in URLScan

Figure 05:  Bad ClickFix, go home

Once the KongTuke script has determined the visitor is of interest, it loads the ClickFix page and socially engineers the user into copying the malicious code into the Run Prompt.

From here, this is where it gets interesting. The malicious script executes using “conhost.exe” with the “--headless” argument, which hides the child process window and makes conhost the parent process. 

Figure 06: ClickFix malicious script

The malicious script grabs a payload from a malicious domain. In all cases Team Sixty43 has seen in this recent spike in KongTuke activity, the payload is a tar file – a Havoc C2 demon (C2 implant). Many in this campaign were closely named to known Windows components, like “endpointdlp.dll”, likely to masquerade as legitimate OS executables to avoid suspicion.

This results in a process flow that looks like this:

Explorer > Conhost (malicious script) > CMD > Rundll32 (executes Havoc demon)

Figure 07:  Malicious tar file downloaded from payload site

Figure 08: VirusTotal flagging most KongTuke-related Havoc demons

Figure 09: PacketWatch Session details of the KongTuke network traffic

Something we noted in our hunts was that even though many detections were for users in VPN networks, thanks to PacketWatch’s ability to deeply inspect DNS traffic we were able to identify key indicators of successful network traffic between the malicious infrastructure and the victim machines.

Pro tip from Team Sixty43: If you are responding to an incident where the Run Prompt was used to execute malicious code, look at the RunMRU registry keys. These registry keys log all Run Prompt entries.

Investigating locally:

“reg query ‘HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU’” 

Investigating via EDR:

“reg query ‘HKU\*SID*\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU’”

Figure 10: An example of what a successful execution of a malicious script in the Run Prompt logs in RunMRU

Take Away

KongTuke continues to evolve and grow. It's a favorite TDS for criminal actors and is beginning to push increasingly malicious payloads. The appearance of Havoc C2 demons signals that more sophisticated actors, like ransomware actors and initial access brokers, are using the system to gain footholds in critical networks.

The majority of incidents Team Sixty43 responded to were in healthcare networks.

EDR and endpoint defenses are critical, but properly configured C2 agents can bypass those defenses. Only PacketWatch’s Full Packet Capture technology and automated threat intelligence can detect and respond to these threats in real time reliably. With our EDR integrations, Team Sixty43 can quickly detect, analyze, and remediate any incident in real time.

IOCs

• canbycinema8[.]com (Poisoned site)
• kovkcek[.]com (KongTuke)
• rs2y15sungu[.]com (Payload site)
• satserfield[.]com (KongTuke)
• Cj06y9v4xab[.]com (Payload site)
• 2n1ksf4h0va[.]com (Payload site)
• 0743154262c5ccf24794168ee331feeefc6539386715307ee44d5d9b6b321077 (Havoc C2 demon hash)

Resources:

• Through the Lens of MDR: Analysis of KongTuke’s ClickFix Abuse of Compromised WordPress Sites | Trend Micro (US)
• Dissecting CrashFix: KongTuke's New Toy | Huntress
• ClickFix Attack: Variants, Detection & How It Works | Huntress
• Conhost | LOLBAS
• GitHub - HavocFramework/Havoc: The Havoc Framework · GitHub

This profile is provided FREE to the cybersecurity community.

Visit our Cyber Threat Profile Blog for additional profiles.

Visit our Cyber Threat Intelligence Blog for intelligence reports.

Subscribe to be notified of future intelligence profiles and reports: