KongTuke/TAG‑124 fake CAPTCHA → ClickFix chain drops Python payload via PowerShell

November 18, 2025 (Last Modified: November 18, 2025)

4n6 Beat

5 min read

IR playbook for investigating and containing the KongTuke (aka LandUpdate808/TAG‑124) lure using fake CAPTCHA + ClickFix clipboard inject...

SANS ISC documented a fresh KongTuke lure on November 18, 2025 that uses a fake CAPTCHA page and a ClickFix-style clipboard injection to run a PowerShell one-liner, which pulls a ZIP containing a malicious Python script and a bundled Windows Python runtime. Post-infection artifacts land under AppData\Roaming\DATA with persistence via a Scheduled Task; IOCs include multiple paths on 64.111.92[.]212:6655 and later HTTPS to telegra.ph, which itself is legitimate infrastructure often abused as an intermediary. See the primary diary for details and hashes (SANS ISC).

Intrusion Flow

Traffic Distribution System and lure
- KongTuke (aka LandUpdate808/TAG-124) operates as a multi-layer TDS leveraging compromised sites to push fake update and, more recently, fake CAPTCHA flows (Recorded Future Insikt Group; Malpedia).
- The observed lure renders a CAPTCHA with instructions that trigger clipboard-based command injection (“ClickFix”), pushing victims to paste into Win+R/PowerShell (Microsoft Threat Intelligence).
User-assisted execution
- The page’s JavaScript stages the command in the clipboard (common “stageClipboard” pattern) and directs the user to execute it; campaigns commonly use -w hidden plus iwr|iex or mshta cradles (Splunk; Recon InfoSec).
Initial payload delivery
- In the SANS case, the one-liner fetched a ZIP that contained a malicious Python script and an embedded Windows Python runtime, enabling execution even where Python isn’t installed (SANS ISC; Microsoft devblogs on CPython embeddable zip).
Persistence and C2
- The implant stored files in %AppData%\Roaming\DATA and set a Scheduled Task for persistence (SANS ISC).
- Network IOCs included http://64.111.92[.]212:6655/ab, /se, /node, /nada000 during staging, followed by HTTPS to telegra.ph. Telegra.ph is a legitimate publishing platform that multiple actors have abused to hold C2 locators or configs (SANS ISC; Kaspersky ICS-CERT).

Key Artifacts to Pull

Disk and persistence
- %AppData%\Roaming\DATA\ - collect all files, the downloaded ZIP, and the Python runtime/subfolders (SANS ISC).
- Scheduled Tasks on disk: C:\Windows\System32\Tasks\* and registry TaskCache keys: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\{Tasks,Tree} (Cyber Triage; Microsoft Learn schtasks).
- Prefetch for execution evidence of powershell.exe, python.exe/pythonw.exe, mshta.exe as applicable: C:\Windows\Prefetch\*.pf (Magnet Forensics).
Windows event logs (export full .evtx)
- Security 4688 (process creation, include command line) - enable if not already (Microsoft Learn; Command line auditing policy).
- Microsoft-Windows-PowerShell/Operational: 4103/4104/4105/4106 for module + script block logging and invocation - high value for one-liner cradles (Microsoft PowerShell team; Elastic Winlogbeat module).
- Microsoft-Windows-TaskScheduler/Operational: 106 (Task registered), 140 (Task updated) (NXLog docs).
Network telemetry
- HTTP(S) to 64.111.92[.]212:6655 with paths /ab, /se, /node, /nada000; any subsequent HTTPS to telegra.ph (treat as suspicious context, not blanket-malicious) (SANS ISC; Kaspersky ICS-CERT).

Detection Notes

Process creation (Security 4688 / Sysmon EID 1)
- Hunt for explorer.exe spawning powershell.exe or mshta.exe with -w hidden, iwr, iex, or suspicious Base64 blocks. Ensure 4688 “Include command line in process creation events” is enabled (Microsoft Learn; Sysmon EID 1).
- Example KQL (Microsoft Defender/XDR):
```
DeviceProcessEvents
| where InitiatingProcessFileName =~ "explorer.exe"
| where FileName in~ ("powershell.exe","pwsh.exe","mshta.exe")
| where ProcessCommandLine has_any ("-w hidden","iwr ", "Invoke-WebRequest", "| iex")
```
  Patterns mirror common ClickFix cradles documented by Microsoft (Microsoft Threat Intelligence).
PowerShell script block (4104)
- Alert on single-line script blocks containing iwr piped to iex, downloads from bare IPs, and hits to 64.111.92.212:6655. Consider searching for strings resembling verification fluff appended to commands (e.g., “I am not a robot” text around the payload) and the clipboard-staging JS pattern (Splunk).
TaskScheduler events (106/140) and Security 4698
- Detect new/updated tasks whose Actions reference paths within %AppData%\Roaming\DATA\ or invoke pythonw.exe from user-writable locations (NXLog docs; Microsoft Learn 4698).
Network
- Flag HTTP to 64.111.92[.]212:6655/* and correlate to endpoint execution events. For telegra.ph, use context-aware detections (endpoint/flow correlation) to avoid false positives while recognizing abuse as a C2 indirection method (Kaspersky ICS-CERT).

Response Guidance

Contain quickly
- Block egress to 64.111.92[.]212:6655 and any observed KongTuke delivery hosts from your logs (SANS ISC).
- Do not globally block telegra.ph; instead, quarantine hosts exhibiting the telegra.ph beacon pattern and investigate for staged configs (Kaspersky ICS-CERT).
Eradicate persistence and payloads
- Enumerate tasks: schtasks /query /fo list /v and export XML of any suspicious entries; delete confirmed-malicious tasks: schtasks /delete /tn "<taskname>" /f (Microsoft Learn schtasks).
- Remove %AppData%\Roaming\DATA\ contents after capture; verify no other user-profile paths are referenced by the task’s Action (SANS ISC).
Improve logging for retrospective hunting (we know late nights happen)
- Ensure Security 4688 with command line and PowerShell Script Block Logging (4104) are enabled org-wide; collect TaskScheduler Operational logs (106/140). Balance noise vs value in high-volume environments (Microsoft Learn 4688; PowerShell blue team logging; NXLog events).
Hunt breadth
- Query for explorer→powershell/mshta parent-child chains with -w hidden and iwr|iex artifacts; pivot on any downloads from bare IPs and on file-write events under %AppData%\Roaming\DATA\. These behaviors are consistent with ClickFix campaigns across actors (Microsoft Threat Intelligence; Splunk).
Triage the Python runtime
- If you find a bundled Python under user profile paths, treat it as untrusted. Attackers commonly ship the Windows “embeddable” runtime so code runs without a system install; examine _pth files, included libs, and any task that invokes pythonw.exe (Microsoft devblogs; Python docs).

Takeaways

Block and hunt for the precise KongTuke IOCs from the diary (64.111.92[.]212:6655/*) and correlate with PowerShell one-liners and new Scheduled Tasks under user paths (SANS ISC).
Turn on (or verify) Security 4688 with command lines and PowerShell 4104 collection organization-wide to catch ClickFix cradles reliably (Microsoft Learn; PowerShell team).
Treat telegra.ph hits as suspicious context requiring endpoint correlation, not as a flat block list (Kaspersky ICS-CERT).
Expect Python runtimes bundled with malware; scrutinize any task actions launching python/pythonw from user-writable locations (Microsoft devblogs).

Sources / References

SANS ISC: KongTuke activity (Brad Duncan): https://isc.sans.edu/diary/KongTuke%2Bactivity/32498/
Microsoft Security Blog: Think before you Click(Fix): https://www.microsoft.com/en-us/security/blog/2025/08/21/think-before-you-clickfix-analyzing-the-clickfix-social-engineering-technique/
Recorded Future Insikt Group: TAG‑124’s Multi‑Layered TDS Infrastructure: https://www.recordedfuture.com/research/tag-124-multi-layered-tds-infrastructure-extensive-user-base
Malpedia: KongTuke (aka TAG‑124, LandUpdate808): https://malpedia.caad.fkie.fraunhofer.de/details/js.kongtuke
Splunk: Beyond The Click – Unveiling Fake CAPTCHA/ClickFix: https://www.splunk.com/en_us/blog/security/unveiling-fake-captcha-clickfix-attacks.html
Recon InfoSec: Detecting Fake CAPTCHA Campaigns (ClickFix, ClearFake, Etherhide): https://blog.reconinfosec.com/detecting-fake-captcha-campaigns
Kaspersky ICS‑CERT: APT and financial attacks Q1 2025 (telegra.ph abuse): https://ics-cert.kaspersky.com/publications/reports/2025/06/19/apt-and-financial-attackson-industrial-organizations-in-q1-2025/
Microsoft Learn: Event 4688 – Process Creation (with command line): https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4688
Microsoft Learn: Command line process auditing (policy): https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/component-updates/command-line-process-auditing
Microsoft Sysinternals: Sysmon (Event ID 1 Process Create): https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon
NXLog: Windows Task Scheduler logging (EIDs 106/140): https://docs.nxlog.co/integrations/os/windows-task-scheduler.html
Microsoft Learn: Event 4698 – Scheduled task created: https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4698
Cyber Triage: Windows Scheduled Tasks for DFIR: https://www.cybertriage.com/blog/windows-scheduled-tasks-for-dfir-investigations/
Microsoft for Python Developers Blog: CPython embeddable zip file: https://devblogs.microsoft.com/python/cpython-embeddable-zip-file/
Python docs: Using Python on Windows – embeddable package: https://docs.python.org/id/3.10/using/windows.html#the-embeddable-package
Magnet Forensics: Forensic analysis of Prefetch files: https://www.magnetforensics.com/blog/forensic-analysis-of-prefetch-files-in-windows/
PowerShell Team: PowerShell ♥ the Blue Team (Script Block Logging 4104/4105/4106): https://devblogs.microsoft.com/powershell/powershell-the-blue-team/
Elastic Winlogbeat: PowerShell module (event IDs 4103/4104/4105/4106): https://www.elastic.co/guide/en/beats/winlogbeat/current/winlogbeat-module-powershell.html