Detected #KongTuke infection chain

Compromised site
-->
wuliaox[.]com/2g5a.js
-->
wuliaox[.]com/js.php (ClickFix)

Detected #KongTuke infection chain

Compromised site
-->
stgbran[.]com/5a2g.js
-->
stgbran[.]com/js.php (ClickFix)

Detected #KongTuke infection chain

Compromised site
-->
foodgefy[.]com/6o0jk.js
-->
foodgefy[.]com/js.php (ClickFix)

Detected #KongTuke infection chain

Compromised site
-->
ts4style[.]com/5fa3.js
-->
ts4style[.]com/js.php (ClickFix)

Detected #KongTuke infection chain

Compromised site
-->
ainttby[.]com/6f54.js
-->
ainttby[.]com/js.php (ClickFix)

Detected #KongTuke infection chain

Compromised site
-->
mieyabi[.]com/5j1s.js
-->
mieyabi[.]com/js.php (ClickFix)

Detected #KongTuke infection chain

Compromised site
-->
netzhit[.]com/5s8h.js
-->
netzhit[.]com/js.php (ClickFix)

Detected #KongTuke infection chain

Compromised site
-->
ctpsih[.]com/2d5h.js
-->
ctpsih[.]com/js.php (ClickFix)

Detected #KongTuke infection chain

Compromised site
-->
benecian[.]com/4a7s.js
-->
benecian[.]com/js.php (ClickFix)

Detected #KongTuke infection chain

Compromised site
-->
benecian[.]com/4a7s.js
-->
benecian[.]com/js.php (ClickFix)
-->
(finger)://142[.]93.242.144:79/captcha

3143d90eae4bdce90b538652cefc1ba92a69856a77cbe33a6947120c6d0fe3ca captcha@142.93.242.144

Detected #KongTuke infection chain

Compromised site
-->
tefalle[.]com/5a7h.js
-->
tefalle[.]com/js.php (ClickFix)
-->
(finger)://142[.]93.242.144:79/captcha

ca6a5f4df6d679ca7f465eaea20660f69e946c4d215b34b270891afac5833f08 captcha@142.93.242.144

Detected #KongTuke infection chain

Compromised site
-->
rpgpals[.]com/9n4d.js
-->
rpgpals[.]com/js.php (ClickFix)

Detected #KongTuke infection chain

Compromised site
-->
rpgpals[.]com/9n4d.js
-->
rpgpals[.]com/js.php (ClickFix)
-->
(finger)://68[.]183.102.175:79/captcha

f3b81538a4127a0ae33f144d591c4bde03c027c077ce6a5251be14dfe34dc0c4 captcha@68.183.102.175

Detected #KongTuke infection chain

Compromised site
-->
weibast[.]com/5m1d.js
-->
weibast[.]com/js.php (ClickFix)
-->
(finger)://68[.]183.102.175:79/captcha

f3b81538a4127a0ae33f144d591c4bde03c027c077ce6a5251be14dfe34dc0c4 captcha@68.183.102.175

Detected #KongTuke infection chain

Compromised site
-->
nflportal[.]com/5f2a.js
-->
nflportal[.]com/js.php (ClickFix)
-->
(finger)://143[.]198.120.233:79/captcha

8d52d6d62dfb318520ccc16a9a7fcce4ae83bc528c0ea030498d873a1e8fc7cd captcha@143.198.120.233

Detected #KongTuke infection chain

Compromised site
-->
payinty[.]com/4s4m.js
-->
payinty[.]com/js.php (ClickFix)
-->
(finger)://144[.]31.169.1:79/captcha

478aed491279bc953ecee8cc7edc569d25c6bd386057f0bbf78486eae9c76275 captcha@144.31.169.1

Detected #KongTuke infection chain

Compromised site
-->
monseftq[.]com/5f7b.js
-->
monseftq[.]com/js.php (ClickFix)
-->
(finger)://144[.]31.169.1:79/captcha

478aed491279bc953ecee8cc7edc569d25c6bd386057f0bbf78486eae9c76275 captcha@144.31.169.1

NOTE: This has been updated to correct the malware names. Thanks, @netresec!

2026-02-02 (Monday) #KongTuke #ClickFix activity leads to #MintsLoader and #GhostWeaver #RAT

Today, the ClickFix text uses the "finger" command, which is a tactic used by KongTuke and other ClickFix campaigns in previous weeks/months.

A #pcap of the infection traffic, some artifacts, and further details are available at https://www.malware-traffic-analysis.net/2026/02/02/index.html

Detected #KongTuke infection chain

Compromised site
-->
soulversr[.]com/1d2g.js
-->
soulversr[.]com/js.php (ClickFix)
-->
(finger)://144[.]31.238.37:79/captcha

2e7a78d5d6abde8be81283091ed5ad12458b99cc5d4d685b613981d4e76aa928 captcha@144.31.238.37

Detected #KongTuke infection chain

Compromised site
-->
jenmartini[.]com/6b7n.js
-->
jenmartini[.]com/js.php (ClickFix)
-->
(finger)://144[.]31.238.37:79/captcha

110c1528c63451a376d49ddf272e9922ffb38798e1fabf385d3f85164127130a captcha@144.31.238.37