The ThreatFox: KongTuke IOCs rule detects potential adversary activity linked to the KongTuke threat group, which is associated with malicious network traffic and data exfiltration. SOC teams should proactively hunt for these IOCs in Azure Sentinel to identify and mitigate early-stage compromises and prevent data loss.
IOC Summary
Malware Family: KongTuke Total IOCs: 11 IOC Types: domain, url
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| url | hxxps://dangelo.lol/file.js | payload_delivery | 2026-06-03 | 100% |
| domain | dangelo.lol | payload_delivery | 2026-06-03 | 100% |
| url | hxxps://dangelo.lol/api/v1/session | payload_delivery | 2026-06-03 | 100% |
| url | hxxps://dangelo.lol/api/v1/verify | payload_delivery | 2026-06-03 | 100% |
| url | hxxps://bernardi.lol/file.js | payload_delivery | 2026-06-03 | 100% |
| domain | bernardi.lol | payload_delivery | 2026-06-03 | 100% |
| url | hxxps://bernardi.lol/api/v1/verify | payload_delivery | 2026-06-03 | 100% |
| url | hxxps://bernardi.lol/api/v1/session | payload_delivery | 2026-06-03 | 100% |
| url | hxxps://bernardi.lol/api/v1/status | payload_delivery | 2026-06-03 | 100% |
| url | hxxps://second-confirmation.top/o | payload_delivery | 2026-06-03 | 100% |
| domain | second-confirmation.top | payload_delivery | 2026-06-03 | 100% |
// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - KongTuke
let malicious_domains = dynamic(["dangelo.lol", "bernardi.lol", "second-confirmation.top"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc// Hunt for access to known malicious URLs
// Source: ThreatFox - KongTuke
let malicious_urls = dynamic(["https://dangelo.lol/file.js", "https://dangelo.lol/api/v1/session", "https://dangelo.lol/api/v1/verify", "https://bernardi.lol/file.js", "https://bernardi.lol/api/v1/verify", "https://bernardi.lol/api/v1/session", "https://bernardi.lol/api/v1/status", "https://second-confirmation.top/o"]);
UrlClickEvents
| where Url has_any (malicious_urls)
| project Timestamp, AccountUpn, Url, ActionType, IsClickedThrough
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
DnsEvents | Ensure this data connector is enabled |
UrlClickEvents | Ensure this data connector is enabled |
Scenario: Legitimate use of KongTuke for API testing
Description: A developer is using KongTuke to test API endpoints as part of a development workflow.
Filter/Exclusion: process.name != "kongtuke" OR process.parent.name == "idea" OR "intellij"
Scenario: Scheduled job for system maintenance using KongTuke
Description: A system administrator runs a scheduled job using KongTuke to clean up temporary files or logs.
Filter/Exclusion: process.name != "kongtuke" OR process.parent.name == "cron" OR "systemd"
Scenario: Admin task to monitor KongTuke service status
Description: An admin is checking the status of the KongTuke service using command-line tools like systemctl or service.
Filter/Exclusion: process.name != "kongtuke" OR process.parent.name == "systemctl" OR "service"
Scenario: Integration testing with KongTuke in a CI/CD pipeline
Description: A CI/CD pipeline (e.g., Jenkins, GitLab CI) is using KongTuke to validate API integrations.
Filter/Exclusion: process.name != "kongtuke" OR process.parent.name == "jenkins" OR "gitlab-runner"
Scenario: User interaction with KongTuke via a web interface
Description: A user is interacting with KongTuke through its web UI for configuration or monitoring purposes.
Filter/Exclusion: process.name != "kongtuke" OR process.parent.name == "chrome" OR "firefox"