The ThreatFox: KongTuke IOCs rule detects potential adversary activity associated with the KongTuke threat group, which is linked to malicious infrastructure and command-and-control servers. SOC teams should proactively hunt for these IOCs in Azure Sentinel to identify and mitigate early-stage compromise attempts by this sophisticated threat actor.
IOC Summary
Malware Family: KongTuke Total IOCs: 10 IOC Types: url, domain
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| url | hxxps://two-verif.lol/o | payload_delivery | 2026-06-15 | 100% |
| domain | two-verif.lol | payload_delivery | 2026-06-15 | 100% |
| domain | finale-code.lol | botnet_cc | 2026-06-15 | 100% |
| url | hxxps://eichmnnn.icu/api/v1/status | payload_delivery | 2026-06-15 | 100% |
| url | hxxps://one-verif.lol/o | payload_delivery | 2026-06-15 | 100% |
| domain | one-verif.lol | payload_delivery | 2026-06-15 | 100% |
| url | hxxps://eichmnnn.icu/file.js | payload_delivery | 2026-06-15 | 100% |
| domain | eichmnnn.icu | payload_delivery | 2026-06-15 | 100% |
| url | hxxps://eichmnnn.icu/api/v1/session | payload_delivery | 2026-06-15 | 100% |
| url | hxxps://eichmnnn.icu/api/v1/verify | payload_delivery | 2026-06-15 | 100% |
// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - KongTuke
let malicious_domains = dynamic(["two-verif.lol", "finale-code.lol", "one-verif.lol", "eichmnnn.icu"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc// Hunt for access to known malicious URLs
// Source: ThreatFox - KongTuke
let malicious_urls = dynamic(["https://two-verif.lol/o", "https://eichmnnn.icu/api/v1/status", "https://one-verif.lol/o", "https://eichmnnn.icu/file.js", "https://eichmnnn.icu/api/v1/session", "https://eichmnnn.icu/api/v1/verify"]);
UrlClickEvents
| where Url has_any (malicious_urls)
| project Timestamp, AccountUpn, Url, ActionType, IsClickedThrough
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
DnsEvents | Ensure this data connector is enabled |
UrlClickEvents | Ensure this data connector is enabled |
Scenario: Legitimate system update or patching process using kongtuke as part of a toolchain
Filter/Exclusion: Exclude processes initiated by known update tools like yum, apt, or Chocolatey with specific command-line arguments related to patching or upgrades.
Scenario: Scheduled job running kongtuke for log analysis or monitoring purposes
Filter/Exclusion: Exclude processes with command-line arguments containing -log or -monitor and associated with scheduled tasks managed by cron, Task Scheduler, or systemd.
Scenario: Admin task using kongtuke for network scanning or configuration validation
Filter/Exclusion: Exclude processes with command-line arguments containing -scan or -validate and executed by privileged users with known administrative tools like netsh, nmap, or tcpdump.
Scenario: Development environment using kongtuke for testing API endpoints
Filter/Exclusion: Exclude processes running in development environments identified by IP ranges, user groups (e.g., dev), or container environments (e.g., Docker, Kubernetes) with specific tags or labels.
Scenario: Security tool or SIEM integration using kongtuke for data correlation
Filter/Exclusion: Exclude processes with command-line arguments containing -correlate or -siem and associated with known security tools like Splunk, ELK Stack, or QRadar.