KongTuke
A malicious traffic distribution system, KongTuke uses compromised WordPress sites to deliver ever-evolving lures to unsuspecting users.
#7
Overall Rank
3.1%
Customers Affected
KongTuke (aka Chaya_002/LandUpdate808/TAG-124) is a traffic distribution system (TDS) that uses compromised WordPress sites to deploy malicious code. Traffic distribution systems are often used legitimately; they are platforms designed to filter and redirect network traffic, and were originally developed for use by digital advertisers. That said, they have since been abused by adversaries to such a degree that the phrase “malicious TDS” could be considered redundant.
Adversaries leverage TDS infrastructure to:
- put malicious ads and lures in front of as many potential victims as possible
- attempt to evade detection by obfuscating their operations via frequent web redirects
- route users to malicious content even if some of the infrastructure is blocked
Malicious traffic distribution systems use compromised websites to redirect traffic and execute malicious code
KongTuke leads victims through a tangled network of domains.Â
Adversaries deploy extensive TDSs, like KongTuke, that navigate victims through a tangled network of domains. The content delivered ranges from outright malicious to ad-revenue-focused, or even legitimate content strategically placed to evade researchers.
First publicly reported in May 2024 and named for an early C2 domain it used, kongtuke[.]com, KongTuke is one such TDS. One of its key identifiers is leveraging compromised WordPress sites that display JavaScript pop-ups to trick visitors into downloading and executing payloads. The compromised websites are injected with malicious JavaScript code intended to trick the user into downloading malicious payloads through a variety of lures.
A banner year for KongTuke
KongTuke and the lures it distributes have changed over time. When we first started tracking KongTuke prior to 2025, the injected code would display fake Chromium browser update landing pages. In January 2025, researchers reported KongTuke websites using the fake CAPTCHA variant of paste and run (aka ClickFix) to trick users into executing malicious code and downloading payloads, which Red Canary also observed.
In April 2025, KongTuke reportedly used the “FileFix” version of paste and run as well. Red Canary noted a lull from May through July before activity picked back up again, reaching a second peak in September before decreasing toward the end of the year. In November and December 2025, Red Canary and other researchers observed KongTuke distributing paste-and-run lures that leveraged finger.exe.
KongTuke activity in 2025
Execution chain
When users access an infected KongTuke website, adversary-controlled resources are loaded silently, resulting in the fake landing pages popping up. When users interact with the lures—for example, if they click on the “Update Chrome” button on the landing page—a malicious payload with a filename like update_28_05_2024_9921804.exe or ChromeUpdateInstaller.js is downloaded to the victim’s device, followed by additional payload-dependent activity, if not stopped and remediated.
KongTuke has been linked to ransomware, including Rhysida and the Interlock ransomware group. We’ve observed various groups and malware families successfully execute KongTuke, including:
Red Canary does not have visibility into the entire KongTuke intrusion chain. Many users may encounter the compromised WordPress websites during the course of normal browsing without interacting with the lures displayed by KongTuke pages and executing their code. Because KongTuke uses multiple lures and delivers a variety of payloads, relevant endpoint behaviors may appear in different ways, depending on the payload.
Attribution to KongTuke can be made via OSINT reporting of compromised domains or by pivoting to analyze the JavaScript references on compromised sites, for example <script async=”” src=”{malicious JavaScript}”>. Also, server-side JavaScript filenames may follow the pattern of {digit}{letter}{digit}{letter}.js, like 6t4r.js or 5t6y.js.
For threats like KongTuke that rely on deceiving users into interacting with their lures, user education can be helpful in preventing initial access.
Windows Explorer executing cmd.exe with start and exit in the command prompt
The following pseudo-detection analytic identifies explorer.exe executing cmd.exe with start and exit in the command prompt. We commonly observe this kind of command-line interface (CLI) in conjunction with a wide variety of malicious activity, including paste-and-run lures distributed via KongTuke webpages. We recommend investigating the child processes from the instance of the command prompt and the additional content that will also be executed in this CLI, such as any scripts, executables, or other LOLbins.
process_parent == (explorer.exe)
&&
process ==(cmd.exe)
&&
command_includes ('start')
&&
command_includes ('exit')