DefenseStorm CTS Ops observed this attack in the wild and analyzed it in a controlled lab environment. A user was tricked into pasting a PowerShell command that downloaded and executed a two-stage Python implant. The payload fingerprints the host, exfiltrates data to a rotating pool of C2 servers, and establishes persistence through registry keys and scheduled tasks. C2 infrastructure overlaps with known KongTuke campaign activity from early 2026.
Threat InvestigationKongTuke Attribution
Obfuscated Python implant with confirmed C2 communication
DefenseStorm CTS Ops observed this attack in the wild and analyzed it in a controlled lab environment. A user was tricked into pasting a PowerShell command that downloaded and executed a two-stage Python implant. The payload fingerprints the host, exfiltrates data to a rotating pool of C2 servers, and establishes persistence through registry keys and scheduled tasks. C2 infrastructure overlaps with known KongTuke campaign activity from early 2026.
On April 27, 2026, DefenseStorm CTS Ops identified a ClickFix social engineering attack targeting a monitored endpoint. The attack was observed in the wild and subsequently analyzed in a controlled lab environment. The user was directed to copy and paste a PowerShell command into the Windows Run dialog to “fix” a fabricated issue on their device.
The command downloaded a ZIP archive from Dropbox containing a portable WinPython distribution and two obfuscated Python scripts: collector.py and Pmanager.py. The archive ensured Python was available on the victim machine without a prior installation.
collector.py runs first. It collects the username, hostname, privilege level, domain membership, Active Directory computer count, running processes, active TCP connections, ARP table, and MAC address. It writes everything to C:\Windows\Temp\configA.json, disguised as a configuration file.
Thirty seconds later, Pmanager.py launches. Initial triage indicates this file handles data exfiltration and two-way C2 communication with a rotating pool of remote IPs. It also writes to the Run registry key and creates scheduled tasks running as SYSTEM to survive reboots.
Both files returned zero detections on VirusTotal at the time of analysis, which means the samples are either novel or obfuscated enough to evade signature-based detection.
Three of the five C2 IP addresses fall in the 64.95.0.0/16 block, the same range as confirmed KongTuke C2 infrastructure documented in January 2026 ClickFix campaigns. This overlap, combined with the ClickFix delivery mechanism and Python-based implant architecture, strongly suggests this is an evolution of the ModeloRAT/KongTuke activity tracked by Huntress, Microsoft, and malware-traffic-analysis.net earlier this year.
Pmanager.py is ongoing.None of these IPs were flagged as malicious on VirusTotal at time of analysis (April 27, 2026, 9:58 PM EDT).
| IP address | VirusTotal link |
|---|---|
45.61.136.94 |
virustotal.com |
64.95.12.238 |
virustotal.com |
162.33.179.149 |
virustotal.com |
64.95.13.76 |
virustotal.com |
64.95.10.14 |
virustotal.com |
| File | SHA-256 |
|---|---|
Pmanager.py |
1b391471f91dabb542e3168c39da8c915d50fa1d5110555428eb732f9ca5f724 |
collector.py |
0b116bc9a9b9b8f0aa951955bc5846d4c686d5f867c4260fbb6ae2a594a67410 |
The infection starts with a PowerShell one-liner encoded as a decimal ASCII array and executed through iex (Invoke-Expression). The user was directed to paste this into the Windows Run dialog as part of the ClickFix social engineering lure.
The encoded command decodes to:
Downloads a ZIP archive from Dropbox to %APPDATA%\Winp.zip. The archive contains a portable WinPython distribution (WPy64-31401), so Python does not need to be installed on the victim machine.
Extracts the archive to %APPDATA% and deletes the ZIP file.
Executes collector.py via pythonw.exe (headless, no console window). This script fingerprints the host.
Waits 30 seconds, then launches Pmanager.py for C2 communication and persistence.
Figure 1: Contents of the ZIP archive after decompression
Figure 2: Contents of the Python folder showing collector.py and Pmanager.py
Zero detections at time of analysis. The sample is either novel or sufficiently obfuscated to evade signature-based engines.
Figure 3: VirusTotal results for collector.py (0 detections)
The file is heavily obfuscated. All function and variable names have been replaced with long random strings, consistent with common Python obfuscation tools.
Figure 4: Representative sample of obfuscation style
After deobfuscation, collector.py is a host enumeration module that fingerprints the victim machine. It collects:
| Data collected | Method |
|---|---|
| Hostname and username | System calls |
| Privilege level (USER / ADMIN / SYSTEM) | Token inspection |
| User UPN and domain membership | AD query |
| Active Directory computer count | ADSI searcher |
| System information | systeminfo |
| Running processes | Process enumeration |
| Active TCP connections | Network query |
| ARP table | arp -a |
| MAC address (machine fingerprint) | Interface query |
All collected data is aggregated into a dictionary and serialized to C:\Windows\Temp\configA.json, disguised as a benign configuration file.
Figure 5: Deobfuscated enumeration functions
Figure 6: Privilege level check (USER, ADMIN, or SYSTEM)
Figure 7: Dictionary structure written to configA.json
Figure 8: Write location: C:\Windows\Temp\configA.json
Zero detections at time of analysis.
Figure 9: VirusTotal results for Pmanager.py (0 detections)
Pmanager.py is approximately 750 lines of code. Its import list tells us what it does before we read a line of logic:
The combination of ssl, urllib.request, asyncio, zlib, and base64 points to encrypted asynchronous C2 communications with compressed or encoded payloads.
A hardcoded dictionary of IP addresses is embedded in the script. These are the C2 server pool.
Figure 10: Hardcoded C2 IP list
C2 communication uses HTTP POST requests. Endpoints are constructed at runtime by randomly selecting from a pool of hardcoded path strings. The randomized URLs are designed to evade pattern-based network detection:
Figure 11: POST request construction
The C2 channel is bidirectional. Evidence of command retrieval was observed: the implant sends host data and receives tasking in return via a JSON response.
Figure 12: Evidence of command retrieval from JSON response
Three persistence mechanisms were identified.
The malware writes to HKCU\Software\Microsoft\Windows\CurrentVersion\Run, pointing to the malicious pythonw.exe and Pmanager.py. This ensures execution on every user login.
Figure 13: Registry key modification for user-level persistence
schtasks is invoked approximately five times with varying arguments. Observed parameters include /sc daily /st 00:00 /ru SYSTEM /f, which creates a daily execution trigger running as SYSTEM. A secondary schtasks /run /tn call forces immediate execution of the newly created task.
Figure 14: Scheduled task creation with SYSTEM privileges