2025-04-22 (Tuesday): Always fun to find the fake CAPTCHA pages with the #ClickFix style instructions trying to convince viewers to infect their computers with malware.
Saw #StealC from an infection today.
Indicators available at https://github.com/malware-traffic/indicators/blob/main/2025-04-22-IOCs-for-ClickFix-style-campaign-leading-to-StealC-infection.txt
Social media post I wrote for my employer on other platforms.
2025-04-04 (Friday): Injected #KongTuke script in pages from legitimate but compromised websites leads to fake #CAPTCHA style pages and #ClipboardHijacking (#pastejacking). These pages ask users to paste script into a Run window. Latest info at
Information from an infection run earlier today at https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2025-04-04-IOCs-forKongTuke-web-inject-leading-to-fake-CAPTHA-page.txt
Of note, we can find legitimate websites with the injected hashtag#KongTuke script by pivoting on the KongTuke domain in URLscan:
A collection of files with indicators supporting social media posts from Palo Alto Network's Unit 42 team to disseminate timely threat intelligence. - PaloAltoNetworks/Unit42-timely-threat-intel
La technique dite de « pastejacking » est de retour sur le devant de la scène cybercriminelle. Elle permet aux pirates informatiques de déployer un malware sophistiqué, « nommé Darkgate », de façon très sournoise. Décryptage de cette menace en pleine expansion.
Brad
Renaud Lifchitz 
Ben