The ThreatFox: KongTuke IOCs rule detects potential adversary activity associated with the KongTuke threat group, which is linked to malicious network traffic and data exfiltration. SOC teams should proactively hunt for these IOCs in Azure Sentinel to identify and mitigate advanced persistent threats that may be leveraging compromised infrastructure to steal sensitive data.
IOC Summary
Malware Family: KongTuke Total IOCs: 7 IOC Types: domain, url
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| url | hxxps://secure-code.lol/o | payload_delivery | 2026-06-12 | 100% |
| domain | secure-code.lol | payload_delivery | 2026-06-12 | 100% |
| url | hxxps://oliveiaa.icu/api/v1/status | payload_delivery | 2026-06-12 | 100% |
| url | hxxps://oliveiaa.icu/file.js | payload_delivery | 2026-06-12 | 100% |
| domain | oliveiaa.icu | payload_delivery | 2026-06-12 | 100% |
| url | hxxps://oliveiaa.icu/api/v1/session | payload_delivery | 2026-06-12 | 100% |
| url | hxxps://oliveiaa.icu/api/v1/verify | payload_delivery | 2026-06-12 | 100% |
// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - KongTuke
let malicious_domains = dynamic(["secure-code.lol", "oliveiaa.icu"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc// Hunt for access to known malicious URLs
// Source: ThreatFox - KongTuke
let malicious_urls = dynamic(["https://secure-code.lol/o", "https://oliveiaa.icu/api/v1/status", "https://oliveiaa.icu/file.js", "https://oliveiaa.icu/api/v1/session", "https://oliveiaa.icu/api/v1/verify"]);
UrlClickEvents
| where Url has_any (malicious_urls)
| project Timestamp, AccountUpn, Url, ActionType, IsClickedThrough
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
DnsEvents | Ensure this data connector is enabled |
UrlClickEvents | Ensure this data connector is enabled |
Scenario: Scheduled backup job using rsync to transfer data to a remote server
Filter/Exclusion: Exclude processes initiated by rsync with destination IP in the company’s internal network range (e.g., 10.0.0.0/8)
Scenario: System administrator using curl to fetch a legitimate configuration file from an internal repository
Filter/Exclusion: Exclude processes where the command line includes curl and the URL matches internal repository endpoints (e.g., https://config.internal.company.com/*)
Scenario: Automated deployment tool like Ansible executing a playbook that includes a ping module to test connectivity
Filter/Exclusion: Exclude processes with ansible in the command line and the module name is ping or setup
Scenario: Database administrator running a pg_dump to export a database to a local file system
Filter/Exclusion: Exclude processes where the command line includes pg_dump and the output file path is within the local database backup directory (e.g., /backup/pg_backups/)
Scenario: IT team using scp to securely copy logs from a remote server to a central log aggregation system
Filter/Exclusion: Exclude processes where the command line includes scp and the destination IP is part of the internal log collection network (e.g., 192.168.1.0/24)