The ThreatFox: KongTuke IOCs rule detects potential adversary activity linked to the KongTuke threat group, which is associated with malicious network traffic and data exfiltration. SOC teams should proactively hunt for these IOCs in Azure Sentinel to identify and mitigate advanced persistent threats leveraging known malicious infrastructure.
IOC Summary
Malware Family: KongTuke Total IOCs: 8 IOC Types: url, domain
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| url | hxxps://kerluku.lol/file.js | payload_delivery | 2026-05-27 | 100% |
| domain | kerluku.lol | payload_delivery | 2026-05-27 | 100% |
| url | hxxps://kerluku.lol/api/v1/session | payload_delivery | 2026-05-27 | 100% |
| url | hxxps://kerluku.lol/api/v1/verify | payload_delivery | 2026-05-27 | 100% |
| url | hxxps://gulgosski.lol/file.js | payload_delivery | 2026-05-27 | 100% |
| domain | gulgosski.lol | payload_delivery | 2026-05-27 | 100% |
| url | hxxps://gulgosski.lol/api/v1/session | payload_delivery | 2026-05-27 | 100% |
| url | hxxps://gulgosski.lol/api/v1/verify | payload_delivery | 2026-05-27 | 100% |
// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - KongTuke
let malicious_domains = dynamic(["kerluku.lol", "gulgosski.lol"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc// Hunt for access to known malicious URLs
// Source: ThreatFox - KongTuke
let malicious_urls = dynamic(["https://kerluku.lol/file.js", "https://kerluku.lol/api/v1/session", "https://kerluku.lol/api/v1/verify", "https://gulgosski.lol/file.js", "https://gulgosski.lol/api/v1/session", "https://gulgosski.lol/api/v1/verify"]);
UrlClickEvents
| where Url has_any (malicious_urls)
| project Timestamp, AccountUpn, Url, ActionType, IsClickedThrough
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
DnsEvents | Ensure this data connector is enabled |
UrlClickEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Maintenance Job
Description: A legitimate scheduled job runs a script that matches the IOC pattern (e.g., script.sh containing base64 encoded strings).
Filter/Exclusion: process.name:*system_maintenance* OR file.name:*script.sh* AND process.parent.name:*cron*
Scenario: Admin Task – User Account Creation
Description: An admin creates a new user account using a script that includes base64 encoded parameters for user details.
Filter/Exclusion: process.name:*user_creation_script* OR user.name:*admin* AND process.parent.name:*bash*
Scenario: Log Rotation or Archive Process
Description: A log rotation tool (e.g., logrotate) processes log files that contain base64 strings as part of log formatting.
Filter/Exclusion: process.name:*logrotate* OR file.path:/var/log/* AND process.parent.name:*systemd*
Scenario: CI/CD Pipeline Artifact Download
Description: A CI/CD pipeline (e.g., Jenkins, GitLab CI) downloads artifacts that include encoded strings as part of metadata.
Filter/Exclusion: process.name:*jenkins* OR process.name:*gitlab-runner* AND file.path:/var/lib/jenkins/*
Scenario: Database Backup Script Execution
Description: A database backup script (e.g., backup_db.sh) uses base64 encoding for sensitive data in the backup process.
Filter/Exclusion: process.name:*backup_db.sh* OR file.path:/opt/backups/* AND process.parent.name:*systemd*