The ThreatFox: KongTuke IOCs rule detects potential adversary activity linked to the KongTuke threat group, which is associated with high-severity malicious behavior. SOC teams should proactively hunt for these IOCs in Azure Sentinel to identify and mitigate early-stage compromises before lateral movement and data exfiltration occur.
IOC Summary
Malware Family: KongTuke Total IOCs: 2 IOC Types: domain, url
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| url | hxxps://verif-code.lol/o | payload_delivery | 2026-06-11 | 100% |
| domain | verif-code.lol | payload_delivery | 2026-06-11 | 100% |
// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - KongTuke
let malicious_domains = dynamic(["verif-code.lol"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc// Hunt for access to known malicious URLs
// Source: ThreatFox - KongTuke
let malicious_urls = dynamic(["https://verif-code.lol/o"]);
UrlClickEvents
| where Url has_any (malicious_urls)
| project Timestamp, AccountUpn, Url, ActionType, IsClickedThrough
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
DnsEvents | Ensure this data connector is enabled |
UrlClickEvents | Ensure this data connector is enabled |
Scenario: Legitimate scheduled job for system maintenance
Description: A scheduled task runs a script that uses a tool like kongtuke (or a similar name) as part of a routine system cleanup or configuration update.
Filter/Exclusion: Exclude processes initiated by a known scheduled task (e.g., schtasks.exe or Task Scheduler service) with a known legitimate script name or path.
Scenario: Admin using KongTuke for legitimate configuration management
Description: A system administrator uses a tool named kongtuke (or similar) to manage Kong API gateway configurations, which is part of their regular operations.
Filter/Exclusion: Exclude processes running under a known admin account (e.g., Administrator, Domain Admins) and associated with a known configuration management tool or script.
Scenario: False positive from a third-party tool with similar name
Description: A third-party application or script with a similar name to kongtuke (e.g., kongtuke.exe) is used in the environment for a legitimate purpose, such as a custom monitoring tool.
Filter/Exclusion: Exclude processes matching a known legitimate tool name or path, or those running from a known trusted directory (e.g., C:\Program Files\).
Scenario: Legitimate use in a development or testing environment
Description: Developers or testers use a tool named kongtuke in a sandboxed or isolated environment for testing API gateway configurations.
Filter/Exclusion: Exclude processes running in a known test or development environment (e.g., virtual machines, containers, or isolated network segments).
Scenario: False positive from a legitimate script or command-line tool
Description: A script or command-line tool with a name similar to kongtuke is used for system