KongTuke/TAG‑124 fake CAPTCHA → ClickFix chain drops Python payload via PowerShell
SANS ISC documented a fresh KongTuke lure on November 18, 2025 that uses a fake CAPTCHA page and a ClickFix-style clipboard injection to run a PowerShell one-liner, which pulls a ZIP containing a malicious Python script and a bundled Windows Python runtime. Post-infection artifacts land under AppData\Roaming\DATA with persistence via a Scheduled Task; IOCs include multiple paths on 64.111.92[.]212:6655 and later HTTPS to telegra.ph, which itself is legitimate infrastructure often abused as an intermediary. See the primary diary for details and hashes (SANS ISC).