Highlights from August
Making its debut in the number 1 spot on our top 10 most prevalent threat list is KongTuke, a traffic distribution system (TDS) that uses compromised WordPress sites to deploy malicious code. While this is KongTuke’s first time on the list, it’s not new to Red Canary. KongTuke (aka 404 TDS/Chaya_002/LandUpdate808/TAG-124) was first publicly reported in May 2024. We saw enough activity in August for it to take the top spot. You can read more about KongTuke below.
The remainder of our top 10 list this month is made up of familiar faces that have shifted positions, including CleanUpLoader moving up to 2nd to tie with Amber Albatross. Observations of malicious NetSupport Manager use declined, dropping from 1st last month to a tie for 5th this month. Gamarue, Mimikatz, and SocGholish dropped off the list entirely. HijackLoader is also in a tie for 5th this month, making its first appearance on the list since April 2025. Three threats that landed just outside the top 10 in July—Atomic Stealer in 4th, and Metasploit Framework and Tangerine Turkey in a tie for 5th—also made the list this month.
This month’s top 10 threats
To track pervasiveness over time, we identify the number of unique customer environments in which we observed a given threat and compare it to what we’ve seen in previous months.
Here’s how the numbers shook out for August 2025:
| Month's rank | Threat name | Threat description |
|---|---|---|
| Month's rank: ⬆ 1 | Threat name: KongTuke | Threat description : Traffic distribution system, first observed in 2024, that uses compromised WordPress sites to deploy malicious code that may lead to malware families such as Rhysida and Interlock ransomware, D3F@ck Loader, Mocha Manakin, MintsLoader, and WARMCOOKIE |
| Month's rank: ⬆ 2* | Threat name: | Threat description : Loader designed to maintain persistence and deliver additional threats |
| Month's rank: ➡ 2* | Threat name: | Threat description : Red Canary-named cluster of activity that starts from an adware program and progresses through several stages to a pyInstaller EXE with stealer capabilities |
| Month's rank: ⬆ 4 | Threat name: | Threat description : Information stealer designed to target data within web browsers and locally stored files on macOS systems, with the goal of accessing sensitive information including credentials, payment card data, keychain details, and cryptocurrency wallets |
| Month's rank: ⬆ 5* | Threat name: | Threat description : Malware loader that uses DLL sideloading to deliver additional payloads through process injection |
| Month's rank: ⬇ 5* | Threat name: | Threat description : Collection of Python classes to construct/manipulate network protocols |
| Month's rank: ➡ 5* | Threat name: | Threat description : Information stealer sold on underground forums and used by a variety of adversaries; may also be used as a loader for additional payloads |
| Month's rank: ⬆ 5* | Threat name: | Threat description : Penetration testing framework used to probe systematic vulnerabilities on networks and servers to conduct post-exploitation activity on compromised hosts |
| Month's rank: ⬇ 5* | Threat name: | Threat description : Legitimate remote access tool (RAT) that can be used as a trojan by adversaries to remotely control victim endpoints for unauthorized access |
| Month's rank: ⬆ 5* | Threat name: | Threat description : Activity cluster that uses a distribution scheme similar to SocGholish and uses JScript files to drop NetSupport Manager onto victim systems |
| Month's rank: ⬆ 5* | Threat name: | Threat description : Red Canary's name for a VBS worm that is delivered via an infected USB and uses a printui DLL hijack to deliver a cryptomining payload |
⬆ = trending up from previous month
⬇= trending down from previous month
➡ = no change in rank from previous month
*Denotes a tie
KongTuke hijacks WordPress sites to spread malware
Debuting at number 1 this month is KongTuke, a traffic distribution system (TDS) that uses compromised WordPress sites to deploy malicious code. Traffic distribution systems are often used legitimately; they are platforms designed to filter and redirect network traffic, and were originally developed for use by digital advertisers. That said, they have since been abused by adversaries to such a degree that “malicious TDS” could be considered an oxymoron. Adversaries leverage TDS infrastructure to:
- Put malicious ads and lures in front of as many potential victims as possible
- Attempt to evade detection by obfuscating their operations via frequent web redirects
- Route users to malicious content even if some of the infrastructure is blocked
Named for an early C2 domain it used, kongtuke[.]com, KongTuke is one such TDS. One of its key identifiers is leveraging compromised WordPress sites that display JavaScript pop-ups to trick visitors into downloading and executing payloads. The compromised websites are injected with malicious JavaScript code intended to trick the user into downloading malicious payloads through a variety of lures.
When we first started tracking KongTuke, the injected code would display fake Chromium browser update landing pages. In January 2025, researchers reported KongTuke websites using the fake CAPTCHA variant of paste and run (aka ClickFix) to trick users into executing malicious code and downloading payloads, which we’ve since directly observed. In April 2025, OSINT reported KongTuke using the FileFix version of paste and run as well.
When users access an infected KongTuke website, these adversary-controlled resources are loaded silently, resulting in the fake landing pages popping up. When users interact with the lures—for example, if they attempt to select the “Update Chrome” button on the landing page—a malicious payload with a filename like update_28_05_2024_9921804.exe or ChromeUpdateInstaller.js is downloaded to the victim’s device, followed by additional payload-dependent activity, if not stopped and remediated.
KongTuke has been linked to ransomware, including Rhysida and the Interlock ransomware group. We’ve observed various malware families associated with successful KongTuke lure execution and payload delivery, including:
Due to the data collected by most EDR sensors, Red Canary does not have visibility into the entire KongTuke intrusion chain. Many users may encounter the compromised WordPress websites during the course of normal browsing without interacting with the lures displayed by KongTuke pages and executing their code. Red Canary visibility does not provide details on the contents of websites visited by users if there isn’t any additional malicious endpoint execution behavior. Instead, we rely on behavior-based detections that occur after victims interact with the lures on a compromised site. Because KongTuke uses multiple lures and delivers a variety of payloads, these behaviors may appear in different ways, depending on the payload.
Attribution to KongTuke can be made via OSINT reporting of compromised domains or by pivoting to analyze the JavaScript references on compromised sites, for example <script async=”” src=”{malicious JavaScript}”>. Also, server-side JavaScript file names may follow the pattern of {digit}{letter}{digit}{letter}.js, like 6t4r.js or 5t6y.js.
Because KongTuke is network-based TDS infrastructure, endpoint behavioral detections will vary based on successful lure interaction, and that presents a wide range of detection opportunities. For example, we’ve recently seen KongTuke sites with lures using paste and run, and those command-line executions give us a detection opportunity.
Detection opportunity: Windows Explorer executing cmd.exe with “start” and “exit” in the command prompt
The following pseudo-detection analytic identifies explorer.exe executing cmd.exe with "start" and "exit" in the command prompt. We commonly observe this kind of command-line interface (CLI) in conjunction with a wide variety of malicious activity, including paste-and-run lures distributed via KongTuke webpages. We recommend investigating the child processes from the instance of the command prompt and the additional content that will also be executed in this CLI, such as any scripts, executables, or other LOLbins.
process_parent == (explorer.exe)
&&
process ==(cmd.exe)
&&
command_includes ('start')
&&
command_includes ('exit')Related Articles
You’re invited: Four phishing lures in campaigns dropping RMM tools