Intel Name: Kongtuke web inject for fake captcha page
Date of Scan: April 10, 2025
Impact: High
Summary: The attack chain begins with a malicious script injected into legitimate but compromised websites. This script redirects users to a fake CAPTCHA page designed to mimic a “verify you are human” check. The deceptive CAPTCHA page performs clipboard hijacking—also known as pastejacking—by injecting malicious code into the user’s clipboard. This campaign, tracked as #KongTuke by sources like @monitorsg on Mastodon and ThreatFox, shows post-infection traffic patterns resembling Async RAT. However, the final payload remains unidentified, and no sample is currently available.
