Malware
KongTuke
Also known as: TAG-124 · js.LandUpdate808
IoCs CSV
1 YARA rule
Kongtuke is a sophisticated TDS system that was initially discovered around May 2024. Making use of compromised CMS Websites, Kongtuke redirects website visitors through a multi-stage infection process ultimately leading to device infection. Initially using fake Update lures, it started to use FakeCaptcha lures at the beginning of 2025. It is likely an initial access service, selling infections to both Ransomware affiliates and other IA vendors like SocGholish.
Indicators of Compromise 15
Filename AutoPico.exe Filename VID001.exe Filename d4aa3e7010220ad1b458fac17039c274_62_Exe.exe Filename f_000b97.html Filename sample.exe MD5 2915b3f8b703eb744fc54c81f4a9c67f MD5 38de5b216c33833af710e88f7f64fc98 MD5 7bdbd180c081fa63ca94f9c22c457376 MD5 bf9672ec85283fdf002d83662f0b08b7 MD5 cc4d231df34e57f59eb970353c7d9de2 SHA-256 9896a6fcb9bb5ac1ec5297b4a65be3f647589adf7c37b45f3f7466decd6a4a7f SHA-256 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507 SHA-256 a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91 SHA-256 afc8a00883a4ea07df2dc1d4ed02f8a23b35c9456413b438a2d9ce3ae5076638 SHA-256 c0ad494457dcd9e964378760fb6aca86a23622045bca851d8f3ab49ec33978fe
YARA Detection Rules
KongTuke_YARA_Detection
yara ai_generated
rule KongTuke_Detection {
meta:
description = "Detects KongTuke malware based on known file names, hashes, and behavioral indicators"
author = "AI Generated"
strings:
$s1 = "VID001.exe" ascii nocase
$s2 = "AutoPico.exe" ascii nocase
$s3 = "d4aa3e7010220ad1b458fac17039c274_62_Exe.exe" ascii nocase
$s4 = "sample.exe" ascii nocase
$s5 = "f_000b97.html" ascii nocase
$s6 = "KongTuke" ascii nocase
$s7 = "POST /api/report" ascii
$s8 = "GET /task.php?id=" ascii
$s9 = "User-Agent: Mozilla/5.0 (Windows NT)" ascii
$h1 = { 9f 1f 11 a7 08 d3 93 e0 a4 10 9a e1 89 bc 64 f1 f3 e3 12 65 3d cf 31 7a 2b d4 06 f1 8f fc c5 07 }
$h2 = { 98 96 a6 fc b9 bb 5a c1 ec 52 97 b4 a6 5b e3 f6 47 58 9a df 7c 37 b4 5f 3f 74 66 de cd 6a 4a 7f }
$h3 = { c0 ad 49 44 57 dc d9 e9 64 37 87 60 fb 6a ca 86 a2 36 22 04 5b ca 85 1d 8f 3a b4 9e c3 39 78 fe }
$h4 = { af c8 a0 08 83 a4 ea 07 df 2d c1 d4 ed 02 f8 a2 3b 35 c9 45 64 13 b4 38 a2 d9 ce 3a e5 07 66 38 }
$h5 = { a3 1f 22 2f c2 83 22 7f 5e 79 88 d1 ad 9c 0a ec d6 6d 58 bb 7b 4d 85 18 ae 23 e1 10 30 8d bf 91 }
condition:
2 of ($s*) or 2 of ($h*) or ($s7 and $s9) or ($s8 and $s9) ⚠ Rules are AI-generated and unvalidated. Test in a safe environment before production use.