The ThreatFox: KongTuke IOCs rule detects potential adversary activity linked to the KongTuke threat group, which is associated with high-severity malicious behavior. SOC teams should proactively hunt for these IOCs in Azure Sentinel to identify and mitigate early-stage compromises before they escalate.
IOC Summary
Malware Family: KongTuke Total IOCs: 2 IOC Types: url, domain
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| url | hxxps://jh038x18gy9.com/dl/agent.bat | payload_delivery | 2026-04-23 | 100% |
| domain | jh038x18gy9.com | payload_delivery | 2026-04-23 | 100% |
// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - KongTuke
let malicious_domains = dynamic(["jh038x18gy9.com"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc// Hunt for access to known malicious URLs
// Source: ThreatFox - KongTuke
let malicious_urls = dynamic(["https://jh038x18gy9.com/dl/agent.bat"]);
UrlClickEvents
| where Url has_any (malicious_urls)
| project Timestamp, AccountUpn, Url, ActionType, IsClickedThrough
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
DnsEvents | Ensure this data connector is enabled |
UrlClickEvents | Ensure this data connector is enabled |
Scenario: Scheduled Job for System Monitoring
Description: A legitimate scheduled job runs a script that queries system logs or performance metrics, which may include similar command-line arguments or file paths as the KongTuke IOC.
Filter/Exclusion: Exclude processes initiated by a known system monitoring tool (e.g., systemd, cron, or logrotate) or filter by process owner (e.g., root or sysadmin).
Scenario: Admin Task for Log Analysis
Description: An administrator uses a tool like logrotate or rsyslog to analyze or rotate log files, which may involve commands or file paths that match the KongTuke IOC.
Filter/Exclusion: Exclude processes related to log management tools or filter by user (e.g., root or admin).
Scenario: Kubernetes Cluster Management
Description: A Kubernetes cluster management tool like kubectl or kubeadm may execute commands that resemble the KongTuke IOC when interacting with cluster resources or configurations.
Filter/Exclusion: Exclude processes related to Kubernetes tools or filter by command-line arguments containing known Kubernetes keywords (e.g., kubectl, kubeconfig).
Scenario: Database Backup Job
Description: A database backup job using tools like mysqldump or pg_dump may generate output or temporary files that match the KongTuke IOC due to similar naming conventions.
Filter/Exclusion: Exclude processes initiated by backup tools or filter by command-line arguments containing database-specific keywords (e.g., dump, backup, mysql, pg).
Scenario: Network Configuration Audit
Description: A network configuration audit using tools like tcpdump or nmap may involve commands or files that resemble the KongTuke IOC, especially when