The ThreatFox: KongTuke IOCs rule detects potential adversary activity associated with the KongTuke threat group, which is linked to malicious network traffic and data exfiltration. SOC teams should proactively hunt for these IOCs in Azure Sentinel to identify and mitigate early-stage compromises and prevent data loss.
IOC Summary
Malware Family: KongTuke Total IOCs: 4 IOC Types: domain, url
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| url | hxxps://49xb5hoiqsr.com/dl/agent.bat?tk=5c6782c32ce7b4b8442c60f9afc95a39 | payload_delivery | 2026-04-22 | 100% |
| url | hxxps://tdypy7dvtdq.com/dl/agent.bat | payload_delivery | 2026-04-22 | 100% |
| domain | tdypy7dvtdq.com | payload_delivery | 2026-04-22 | 100% |
| url | hxxps://tdypy7dvtdq.com/dl/update.zip | payload_delivery | 2026-04-22 | 100% |
// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - KongTuke
let malicious_domains = dynamic(["tdypy7dvtdq.com"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc// Hunt for access to known malicious URLs
// Source: ThreatFox - KongTuke
let malicious_urls = dynamic(["https://49xb5hoiqsr.com/dl/agent.bat?tk=5c6782c32ce7b4b8442c60f9afc95a39", "https://tdypy7dvtdq.com/dl/agent.bat", "https://tdypy7dvtdq.com/dl/update.zip"]);
UrlClickEvents
| where Url has_any (malicious_urls)
| project Timestamp, AccountUpn, Url, ActionType, IsClickedThrough
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
DnsEvents | Ensure this data connector is enabled |
UrlClickEvents | Ensure this data connector is enabled |
Scenario: Legitimate scheduled job for system maintenance
Description: A scheduled task runs a script that uses the same tool or command as part of routine system maintenance.
Filter/Exclusion: Exclude processes initiated by cron or task scheduler with known maintenance scripts (e.g., /usr/bin/systemd-timedated, /etc/cron.daily/).
Scenario: Admin task using KongTuke tool for network scanning
Description: A network administrator uses a tool like nmap or tcpdump (which may be associated with KongTuke in IOC lists) for legitimate network monitoring.
Filter/Exclusion: Exclude processes with user IDs matching admin groups (e.g., root, sudo, admin) or processes running from /usr/sbin/ or /bin/.
Scenario: False positive from a third-party security tool integration
Description: A security tool like CrowdStrike or CrowdStrike Falcon may generate IOCs that overlap with KongTuke, leading to false positives.
Filter/Exclusion: Exclude processes that match known security tool binaries (e.g., /opt/crowdstrike/, /opt/falcon/) or use the crowdstrike or falcon process names.
Scenario: Legitimate use of KongTuke-related tools in development
Description: A developer may use a tool like kong (Kong API Gateway) or tuke (a command-line tool) for development or testing.
Filter/Exclusion: Exclude processes running from development directories (e.g., /home/dev/, /opt/devtools/) or with user IDs associated with development teams.
Scenario: False positive from a legitimate cloud provider’s infrastructure
Description: A cloud provider like AWS or Azure may use tools with similar names or behaviors