KongTuke: ClickFix on Steroids

21.01.2026 00:00

KongTuke: ClickFix on Steroids

KongTuke is a threat actor that has recently increased their usage of ClickFix and ClickFix-styled attacks. They’ve begun to utilize a branching infection path based on the domain status of an infected device. If the device is domain joined, it will receive a different payload from non-domain joined devices. As Huntress notes, this is likely to identify and target Active Directory environments (also go read that write up, it’s way better than this!).

SSA AI Phishing

08.01.2026 00:00

SSA AI Phishing

In another episode of ChatGPT-ass malware, we have this beautiful sample from a Social Security Administration phishing page taken from an incident on January 8th, 2026. If this is your phishing page, you should probably feel bad.

The phishing page itself is hosted on a XAMPP (Apache + MariaDB + PHP + Perl) stack on a Windows server using a free Cloudflare tunnel. Of course, they didn’t put any effort into configuring their server, so the default pages are easily accesible.

Introduction to Malware Analysis Workshop

03.01.2026 00:00

Slides from the Introduction to Malware Analysis workshop held on January 3rd, 2026. Samples are linked in the slides, but can also be acquired at Introduction to Malware Analysis Workshop Samples.

Direct Link

AceLauncher

15.12.2025 00:00

AceLauncher

AceLauncher is a Potentially Unwanted Program (PUP) similar to Wave Browser, OneStart, and OneLaunch. It’s a Chromium based browser that creates several tasks, AppData directories, and registry keys to maintain persistence on a device. While not overtly malicious, users will likely want to remove the browser as it does redirect and serve potentially malicious content. This includes functions that link to ManualsLib domains and references to Wave Browser and Recipe Lister. The browser also uses Yahoo’s Hosted Search platform to serve sponsored content driving revenue to the AceLauncher organization.

Phishing

25.11.2025 00:00

Phishing

I recently analyzed the following phishing email. It contains a Microsoft account harvester and has some interesting anti-analysis functions. I didn’t do a full dive on it, but there’s some interesting stuff here.

Examining the email in a text editor revealed that the headers had been manipulated.

The QR code image was extracted from the email via the Base64 encoded string object. This was put into CyberChef for rasterization and analysis.

LogMeIn Unattended Installer

05.11.2025 00:00

LogMeIn Unattended Installer

A user received a phishing email that redirected the to hxxps[://]popthecard[.]pages[.]dev. This page claimed that a friend had sent an invitation, and that the user must download and open it on a windows laptop or desktop to view it. The page automatically downloaded the file VelvetPaperCo.exe (in similar incidents, invitation.exe).

The page itself is rather basic, with the following JavaScript code handling the download function. It simply sets a timeout and executes a function that reaches out to a public CloudFlare R2 bucket that hosts the malicious RMM installer.

Fisher-Price Malware

29.10.2025 00:00

Fisher-Price Malware

With the rise of AI, Vibe-Coded malware is now an existing threat. Sort of? In the way that a wet noodle could potentially kill you in the right circumstances, Vibe-Coded malware could also pose a threat. It’s just very unlikely. At least, with the current iterations out there.

Enter what I’m calling “Baby’s first malware” AKA “Fisher-Price Malware”. A Vibe-Coded sample found on a users’ device. It’s an “obfuscated” PowerShell loader that pulls a payload that… takes screenshots and uploads them? Kind of? Technically, it works. Sometimes. In perfect conditions.

BSides TC Talk: Click, Paste, Compromise: Unpacking ClickFix

18.10.2025 00:00

Slides from BSides TC 2025 talk.

Direct Link

Node Malware / EvilAI

09.10.2025 00:00

Node Malware

Node.js is commonly used to deploy stealers on devices. Often, these incidents include WebView2 applications bundled into InnoSetup installers. These installers use custom scheduled task XML configurations to deploy tasks that run malcious Node.js scripts on the host device. Also referred to as EvilAI - TrendMicro

The linked article does a great job of breaking these down. They’re essentially .net assemblies that use WebView2 and AI-generated “web applications” (read vibe-coded html pages). These applications are bundled into an InnoSetup installer with node and a malicious script. When the installer runs, it sets up a scheduled task to execute the node script. The user only sees the intended “legitimate” AI web app get installed.

ClickFix - NetSupport RAT

23.09.2025 00:00

ClickFix - NetSupport RAT

Incident Overview

On Saturday, Spetember 20th, 2025, A user visited a compromised domain serving a malicious redirect to a ClickFix campaign page. This campaign utilized a dynamic ClickFix template that builds legitimate appearing captcha turnstiles based on passed parameters. This specific ClickFix template has been covered in the article ClickFix - The RAT that almost got away. The campaign attempted to deliver a NetSupport RAT via a PowerShell loader. This loader is also a part of the kit, but some minor changes have occured between the previous incidents and this current campaign.

1 of 5 Next Page