The ThreatFox: KongTuke IOCs rule detects potential adversary activity associated with the KongTuke threat group, which is linked to malicious network traffic and data exfiltration. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced persistent threats leveraging these IOCs before significant data loss occurs.
IOC Summary
Malware Family: KongTuke Total IOCs: 3 IOC Types: domain, url
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| url | hxxps://secure-code.lol/o | payload_delivery | 2026-06-12 | 100% |
| domain | secure-code.lol | payload_delivery | 2026-06-12 | 100% |
| url | hxxps://oliveiaa.icu/api/v1/status | payload_delivery | 2026-06-12 | 100% |
// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - KongTuke
let malicious_domains = dynamic(["secure-code.lol"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc// Hunt for access to known malicious URLs
// Source: ThreatFox - KongTuke
let malicious_urls = dynamic(["https://secure-code.lol/o", "https://oliveiaa.icu/api/v1/status"]);
UrlClickEvents
| where Url has_any (malicious_urls)
| project Timestamp, AccountUpn, Url, ActionType, IsClickedThrough
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
DnsEvents | Ensure this data connector is enabled |
UrlClickEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Backup Job
Description: A legitimate scheduled backup job uses a script that matches one of the KongTuke IOCs (e.g., a script named backup.sh that contains a string matching a known IOC).
Filter/Exclusion: Check for the presence of a backup directory or log entry indicating a scheduled backup task, e.g., process.name = backup.sh AND file.directory = /var/backups
Scenario: Admin Task for Configuration Update
Description: An administrator is performing a configuration update on a Kong instance, and the command line includes a string that matches a KongTuke IOC (e.g., kong config set --value="malicious_value").
Filter/Exclusion: Check for the presence of a user with admin privileges and a command that includes kong config set, e.g., user.name = admin AND process.args = "kong config set"
Scenario: Log Rotation Job
Description: A log rotation script (e.g., logrotate.sh) includes a string that matches a KongTuke IOC due to similar syntax or formatting.
Filter/Exclusion: Check for the presence of a log rotation directory or log file, e.g., file.directory = /var/log/rotate OR file.name = rotated_logfile.log
Scenario: CI/CD Pipeline Artifact Download
Description: A CI/CD pipeline (e.g., Jenkins, GitLab CI) downloads a package or artifact that contains a string matching a KongTuke IOC due to a naming convention or version string.
Filter/Exclusion: Check for the presence of a CI/CD tool or pipeline configuration file, e.g., process.name = gitlab-runner OR file.name = .gitlab-ci.yml
Scenario: Database Maintenance Script
Description: A database maintenance script