KongTuke: A King Among Threat Groups

KongTuke, a FAKEUPDATES sub-group, compromises WordPress sites and serves obfuscated JavaScript that fingerprints visitors through a Traffic Distribution System (TDS) and selectively delivers malware via social-engineered prompts (fake Chrome updates and ClickFix clipboard commands). The campaign leverages stolen credentials or plugin misconfigurations for initial access, targets high-traffic domains across industries, uses persistent loaders and custom XOR+Gzip+zlib exfiltration, and is linked to multiple other malware and ransomware operators; notable indicators include endpoints like /land.php and /update.php and a consistent misspelling of the referer parameter as "refferer".