{"id":"909055f515c9fa397b5d97341b5c39fd","title":"KongTuke — KongTuke · dropper · PowerShell","md5":"909055f515c9fa397b5d97341b5c39fd","sha256":"fb1db11a8c8794c9649cbb2277deda6596f946fb5adfd9d6be005b8a28088486","family":"KongTuke","apt":"Zirconium(APT31)","verdict":null,"sample_type":"dropper","lang":"PowerShell","file_format":"PowerShell","compiler":"PowerShell","published_at":"2026-07-03T16:00:00.000Z","summary":"PowerShell 编写的 KongTuke 4层嵌套投放器，归属 APT31 / Zirconium，首次检出 2026-07-04。核心特征: (1) 4层 Base64→RC4→Gzip→IEX 链式解混淆，每层独立RC4密钥; (2) C2通信 HTTPS POST tommy-y.lol/t，ABCD111/BCDA222前缀区分VM和域侦察信标; (3) 55+工具进程枚举反分析检测，覆盖 VMware/VirtualBox/QEMU/Sandboxie; (4) 字符串拼接绕过AMSI关键词扫描; (5) 最终载荷IEX执行C2响应，无完整性验证。家族归属 KongTuke v3 (APT31)，C2基于HTTPS。","url":"https://zseceye.com/report/909055f515c9fa397b5d97341b5c39fd","json_url":"https://zseceye.com/report/909055f515c9fa397b5d97341b5c39fd.json","html_url":"https://zseceye.com/report/909055f515c9fa397b5d97341b5c39fd","hash_urls":{"md5":"https://zseceye.com/hash/909055f515c9fa397b5d97341b5c39fd","sha256":"https://zseceye.com/hash/fb1db11a8c8794c9649cbb2277deda6596f946fb5adfd9d6be005b8a28088486"},"search_urls":{"md5":"https://zseceye.com/?q=909055f515c9fa397b5d97341b5c39fd","sha256":"https://zseceye.com/?q=fb1db11a8c8794c9649cbb2277deda6596f946fb5adfd9d6be005b8a28088486"},"sample_download_url":"https://zseceye.com/report/909055f515c9fa397b5d97341b5c39fd/sample","sample_filename":"fb1db11a8c8794c9.zip","iocs":[],"ips":[]}