References
VT Collections
MalwareBazaar
Vendor References
Technical Details
KongTuke (also tracked as TAG-124 / LandUpdate808) is a Traffic Distribution System (TDS) that leverages compromised legitimate websites to inject malicious JavaScript. Visitors are redirected through a TDS gate, which fingerprints the browser/OS and conditionally serves a JScript dropper.
Infection Chain (Observed)
- Compromised site injects
<script> tag pointing to KongTuke TDS gate
- TDS serves JScript (.js) dropper — 16,945 lines, ~95% junk padding
- JScript dropper performs:
- Self-copies to
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\ for persistence
- Constructs obfuscated PowerShell command using Unicode garbage string replacement
- Launches via WMI (
Win32_Process.Create) with hidden window
- PowerShell stage decodes 4-layer obfuscated payload:
- Layer 1: Unicode delimiter removal (
.split("delimiter").join("")) — Base64 payload extraction
- Layer 2: Base64 decode (
[Convert]::FromBase64String)
- Layer 3: XOR with single-byte key
- Layer 4: Base64 inner layer + XOR with multi-byte key
- Decoded PowerShell downloads two payloads:
ABCD111 — Primary payload (MSI installer)BCDA222 — Secondary payload
- C2 path pattern:
/m endpoint
- Delivers IcedID/Latrodectus via MSI installer chain (WiX-based, containing trojanized
custom.dll)
Obfuscation Techniques
The JScript dropper uses Unicode garbage string injection rather than traditional concatenation:
- Two distinct multi-character Unicode sequences are used as delimiters throughout strings
- Delimiter 1:
ᴧ⏠ͬ࠷܊ — used in the Base64 payload variable (.split("ᴧ⏠ͬ࠷܊").join(""))
- Delimiter 2:
⯺ቿℚش␜ᄄ∻ӟ̙🕦᭮∔✿ — used in the PowerShell command construction (.replace(/⯺ቿℚش␜ᄄ∻ӟ̙🕦᭮∔✿/g, ""))
- Both produce clean strings when the garbage sequences are stripped
AMSI Bypass
The Invoke-Expression call is fragmented across the Unicode garbage delimiters:
" | In⯺ቿ...voke-E⯺ቿ...x⯺ቿ...pres⯺ቿ...sio⯺ቿ...n"
After .replace(), this becomes | Invoke-Expression.
Star-delimited AMSI bypass pattern (I*nv*o*k*e*-*E*x*p*r*e*s*s*i*o*n) is also commonly observed in KongTuke variants.
Execution via WMI
The dropper avoids WScript.Shell.Run() by using WMI process creation:
GetObject("winmgmts:root\\cimv2")
.Get("Win32_Process").Create(command, workdir, startupInfo, 0)Portuguese Language Indicator
Error string: "Erro ao executar decempeporomya. Código: " — indicates Portuguese-speaking developer or operator.
MITRE ATT&CK
- T1189 — Drive-by Compromise (compromised site redirect)
- T1059.007 — Command and Scripting Interpreter: JavaScript
- T1059.001 — Command and Scripting Interpreter: PowerShell
- T1027.013 — Obfuscated Files or Information: Encrypted/Encoded File (multi-layer XOR+B64)
- T1562.001 — Impair Defenses: Disable or Modify Tools (AMSI bypass via string fragmentation)
- T1547.001 — Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
- T1047 — Windows Management Instrumentation (WMI process creation)
Samples
| Description |
SHA256 |
| stage1.js (JScript dropper) |
4b7857b0c84613d3132f968d6b0022a1cda6244fc425e0f2d5bdd79494cd6867 |
| IcedID chain collection |
See VT collection above |
YARA Rules
Rules verified against real samples with zero false positives. KongTuke_JS_Loader matched on stage1.js (all 7 strings hit). KongTuke_PS_Stager targets the decoded PowerShell payload.
rule KongTuke_JS_Loader {
meta:
author = "Lenard"
description = "KongTuke/TAG-124 TDS JavaScript loader with Unicode garbage string obfuscation"
date = "2026-03-13"
reference = "https://www.virustotal.com/gui/collection/da9ed0362274f8098901d6e7735f1d4a22eb6a286e4b708e1a13d92f4a311e54"
malpedia_family = "js.kongtuke"
strings:
// Unicode garbage string split/replace — KongTuke signature obfuscation
$obf_split = /\.split\("[^\x00-\x7F]{2,}"\)\.join\(""\)/ ascii
$obf_replace = /\.replace\(\/[^\x00-\x7F]{2,}\/g,\s*""/ ascii
// Portuguese error string — developer/operator language indicator
$pt_error = "Erro ao executar" ascii wide
// ActiveXObject usage patterns (JScript dropper)
$ax1 = "Scripting.FileSystemObject" ascii
$ax2 = "WScript.Shell" ascii
$ax3 = "WScript.ScriptFullName" ascii
// Startup folder persistence
$persist = "Startup" ascii
condition:
(1 of ($obf*)) and
(
($pt_error) or
(2 of ($ax*)) or
(2 of ($ax*) and $persist)
)
}
rule KongTuke_PS_Stager {
meta:
author = "Lenard"
description = "KongTuke/TAG-124 PowerShell stager with XOR+Base64 layered obfuscation and dual beacon"
date = "2026-03-13"
reference = "https://www.virustotal.com/gui/collection/da9ed0362274f8098901d6e7735f1d4a22eb6a286e4b708e1a13d92f4a311e54"
malpedia_family = "js.kongtuke"
strings:
// Star-delimited AMSI bypass (Invoke-Expression)
$amsi1 = "I*nv*o*k*e*-*E*x*p*r*e*s*s*i*o*n" ascii wide nocase
$amsi2 = "I`nv`ok`e-E`xp`re`ss`io`n" ascii wide nocase
// Dual beacon naming pattern
$beacon1 = "ABCD111" ascii wide
$beacon2 = "BCDA222" ascii wide
// Base64 + XOR layered decode pattern (PowerShell)
$decode1 = "FromBase64String" ascii wide nocase
$decode2 = "-bxor" ascii wide
// Download patterns
$dl1 = "DownloadData" ascii wide nocase
$dl2 = "Net.WebClient" ascii wide nocase
$dl3 = "Invoke-Expression" ascii wide nocase
condition:
($amsi1 or $amsi2) or
($beacon1 and $beacon2) or
($decode1 and $decode2 and 1 of ($dl*))
}
References
VT Collections
MalwareBazaar
Vendor References
Technical Details
KongTuke (also tracked as TAG-124 / LandUpdate808) is a Traffic Distribution System (TDS) that leverages compromised legitimate websites to inject malicious JavaScript. Visitors are redirected through a TDS gate, which fingerprints the browser/OS and conditionally serves a JScript dropper.
Infection Chain (Observed)
<script>tag pointing to KongTuke TDS gate%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\for persistenceWin32_Process.Create) with hidden window.split("delimiter").join("")) — Base64 payload extraction[Convert]::FromBase64String)ABCD111— Primary payload (MSI installer)BCDA222— Secondary payload/mendpointcustom.dll)Obfuscation Techniques
The JScript dropper uses Unicode garbage string injection rather than traditional concatenation:
ᴧ⏠ͬ࠷܊— used in the Base64 payload variable (.split("ᴧ⏠ͬ࠷܊").join(""))⯺ቿℚش␜ᄄ∻ӟ̙🕦᭮∔✿— used in the PowerShell command construction (.replace(/⯺ቿℚش␜ᄄ∻ӟ̙🕦᭮∔✿/g, ""))AMSI Bypass
The Invoke-Expression call is fragmented across the Unicode garbage delimiters:
After
.replace(), this becomes| Invoke-Expression.Star-delimited AMSI bypass pattern (
I*nv*o*k*e*-*E*x*p*r*e*s*s*i*o*n) is also commonly observed in KongTuke variants.Execution via WMI
The dropper avoids
WScript.Shell.Run()by using WMI process creation:Portuguese Language Indicator
Error string:
"Erro ao executar decempeporomya. Código: "— indicates Portuguese-speaking developer or operator.MITRE ATT&CK
Samples
4b7857b0c84613d3132f968d6b0022a1cda6244fc425e0f2d5bdd79494cd6867YARA Rules
Rules verified against real samples with zero false positives.
KongTuke_JS_Loadermatched onstage1.js(all 7 strings hit).KongTuke_PS_Stagertargets the decoded PowerShell payload.