The ThreatFox: KongTuke IOCs rule detects potential adversary activity linked to the KongTuke threat group, which is associated with high-severity malicious behavior. SOC teams should proactively hunt for these IOCs in Azure Sentinel to identify and mitigate advanced persistent threats that may be leveraging these indicators to compromise their environment.
IOC Summary
Malware Family: KongTuke Total IOCs: 9 IOC Types: url, domain, ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 64[.]95[.]13[.]15:80 | botnet_cc | 2026-06-08 | 75% |
| domain | hfpfhy7zytroclo.top | botnet_cc | 2026-06-08 | 100% |
| url | hxxps://wowlowski.icu/api/v1/verify | payload_delivery | 2026-06-08 | 100% |
| url | hxxps://wowlowski.icu/file.js | payload_delivery | 2026-06-08 | 100% |
| domain | wowlowski.icu | payload_delivery | 2026-06-08 | 100% |
| url | hxxps://wowlowski.icu/api/v1/session | payload_delivery | 2026-06-08 | 100% |
| url | hxxps://wowlowski.icu/api/v1/status | payload_delivery | 2026-06-08 | 100% |
| url | hxxps://aura-checkpoint.top/o | payload_delivery | 2026-06-08 | 100% |
| domain | aura-checkpoint.top | payload_delivery | 2026-06-08 | 100% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - KongTuke
let malicious_ips = dynamic(["64.95.13.15"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["64.95.13.15"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - KongTuke
let malicious_domains = dynamic(["hfpfhy7zytroclo.top", "wowlowski.icu", "aura-checkpoint.top"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc// Hunt for access to known malicious URLs
// Source: ThreatFox - KongTuke
let malicious_urls = dynamic(["https://wowlowski.icu/api/v1/verify", "https://wowlowski.icu/file.js", "https://wowlowski.icu/api/v1/session", "https://wowlowski.icu/api/v1/status", "https://aura-checkpoint.top/o"]);
UrlClickEvents
| where Url has_any (malicious_urls)
| project Timestamp, AccountUpn, Url, ActionType, IsClickedThrough
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
UrlClickEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Backup Job
Description: A legitimate scheduled backup job uses a script that matches one of the KongTuke IOCs (e.g., a script named backup.sh containing a command that resembles a malicious payload).
Filter/Exclusion: Check for presence of known backup directories (e.g., /var/backups/) or use a filter like process.directory:*backup* or process.name:backup.sh.
Scenario: Admin Task for Log Rotation
Description: An administrator runs a log rotation script that includes a command matching a KongTuke IOC (e.g., logrotate command with a suspicious argument).
Filter/Exclusion: Filter by user (user.name:root or user.name:admin) and check for known log rotation tools or directories (e.g., /etc/logrotate.d/).
Scenario: Legitimate API Testing with Kong
Description: A developer is testing an API using Kong API Gateway, and the test script includes a request that matches a KongTuke IOC (e.g., a request to a known endpoint with specific headers).
Filter/Exclusion: Filter by process name (process.name:kong or process.name:curl) and check for presence of Kong configuration files (e.g., /etc/kong/).
Scenario: CI/CD Pipeline Artifact Download
Description: A CI/CD pipeline (e.g., Jenkins, GitLab CI) downloads a dependency or artifact that matches a KongTuke IOC (e.g., a file named kongtuke-*.tar.gz).
Filter/Exclusion: Filter by process name (process.name:git or process.name:jenkins) and check for known CI/CD directories (e.g., /var/jenkins_home/).
**Scenario: Legitimate Security