The ThreatFox: KongTuke IOCs rule detects potential adversary activity linked to the KongTuke threat group, which is associated with high-severity malicious campaigns. SOC teams should proactively hunt for these IOCs in Azure Sentinel to identify and mitigate early-stage compromises and prevent lateral movement within the network.
IOC Summary
Malware Family: KongTuke Total IOCs: 44 IOC Types: domain, ip:port, url
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| domain | uystv0cgviuwn3q.top | botnet_cc | 2026-06-01 | 100% |
| domain | tx9ssbd533ys4xu.top | botnet_cc | 2026-06-01 | 100% |
| domain | u39975ls6hsp8hz.top | botnet_cc | 2026-06-01 | 100% |
| domain | u3hqns4msrc4hei.top | botnet_cc | 2026-06-01 | 100% |
| domain | u85ogkwsp0ucbpa.top | botnet_cc | 2026-06-01 | 100% |
| domain | u8e5w7fmbaesjlu.top | botnet_cc | 2026-06-01 | 100% |
| domain | u8x7zwdx3q9x2sr.top | botnet_cc | 2026-06-01 | 100% |
| domain | udm4so530yr5w3j.top | botnet_cc | 2026-06-01 | 100% |
| domain | udul8boym9bk402.top | botnet_cc | 2026-06-01 | 100% |
| domain | uijj13g4jittyau.top | botnet_cc | 2026-06-01 | 100% |
| domain | uir0hqzy5sd867e.top | botnet_cc | 2026-06-01 | 100% |
| domain | uja2kfy9x79dpeb.top | botnet_cc | 2026-06-01 | 100% |
| domain | unfyahr421vg0i6.top | botnet_cc | 2026-06-01 | 100% |
| domain | uo7gtu8agqb1rlm.top | botnet_cc | 2026-06-01 | 100% |
| domain | uozzd7qfugrljo3.top | botnet_cc | 2026-06-01 | 100% |
| domain | us4v29jaz9cousy.top | botnet_cc | 2026-06-01 | 100% |
| domain | utnx5yilrp8tdzv.top | botnet_cc | 2026-06-01 | 100% |
| domain | utwemm1gdzs9lwe.top | botnet_cc | 2026-06-01 | 100% |
| domain | uykbedtm98ahf77.top | botnet_cc | 2026-06-01 | 100% |
| domain | t2p84fnge1wkpb2.top | botnet_cc | 2026-06-01 | 100% |
| domain | t2ypk35b0cg0y7m.top | botnet_cc | 2026-06-01 | 100% |
| domain | t7mnduxhxky8sie.top | botnet_cc | 2026-06-01 | 100% |
| domain | t7v4thgbjvin0fx.top | botnet_cc | 2026-06-01 | 100% |
| domain | tcbk5mqnutfglt6.top | botnet_cc | 2026-06-01 | 100% |
| domain | tcj2m98hg3zwupp.top | botnet_cc | 2026-06-01 | 100% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - KongTuke
let malicious_ips = dynamic(["67.217.228.3"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["67.217.228.3"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - KongTuke
let malicious_domains = dynamic(["uystv0cgviuwn3q.top", "tx9ssbd533ys4xu.top", "u39975ls6hsp8hz.top", "u3hqns4msrc4hei.top", "u85ogkwsp0ucbpa.top", "u8e5w7fmbaesjlu.top", "u8x7zwdx3q9x2sr.top", "udm4so530yr5w3j.top", "udul8boym9bk402.top", "uijj13g4jittyau.top", "uir0hqzy5sd867e.top", "uja2kfy9x79dpeb.top", "unfyahr421vg0i6.top", "uo7gtu8agqb1rlm.top", "uozzd7qfugrljo3.top", "us4v29jaz9cousy.top", "utnx5yilrp8tdzv.top", "utwemm1gdzs9lwe.top", "uykbedtm98ahf77.top", "t2p84fnge1wkpb2.top", "t2ypk35b0cg0y7m.top", "t7mnduxhxky8sie.top", "t7v4thgbjvin0fx.top", "tcbk5mqnutfglt6.top", "tcj2m98hg3zwupp.top", "th8ze11ndch4n0h.top", "tiziyditr2xof4y.top", "tmwx7sttalzchb9.top", "tnofq5azobfw9eq.top", "tscdjw24lkw42pi.top", "tsluzklz6uhkbm1.top", "tx1abouahsecw0a.top", "uycuyqarnyq16an.top", "qmogvdgy.icu", "gloason.com", "marqueq.lol"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc// Hunt for access to known malicious URLs
// Source: ThreatFox - KongTuke
let malicious_urls = dynamic(["http://uycuyqarnyq16an.top/1.php", "https://marqueq.lol/api/v1/status", "https://qmogvdgy.icu/d", "https://gloason.com/white/pool", "https://marqueq.lol/file.js", "https://marqueq.lol/api/v1/session", "https://marqueq.lol/api/v1/verify"]);
UrlClickEvents
| where Url has_any (malicious_urls)
| project Timestamp, AccountUpn, Url, ActionType, IsClickedThrough
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
UrlClickEvents | Ensure this data connector is enabled |
Scenario: Legitimate scheduled job for system maintenance
Description: A scheduled task runs a script that temporarily accesses the same network location as one of the KongTuke IOCs as part of a routine system cleanup or patching process.
Filter/Exclusion: Exclude network traffic to the IOC if the source is a known system maintenance tool (e.g., schtasks.exe, Task Scheduler, or a script from a trusted internal tooling repository).
Scenario: Admin access to internal repository via SSH
Description: A system administrator connects to an internal Git repository using SSH, which is flagged due to a matching IOC in the repository’s metadata or configuration.
Filter/Exclusion: Exclude SSH connections to internal repositories if the source IP is from a known admin workstation or the destination is a trusted internal Git server (e.g., gitlab.example.com).
Scenario: Use of legitimate monitoring tool with similar domain
Description: A legitimate monitoring tool (e.g., Prometheus, Grafana, or Zabbix) uses a domain that matches one of the KongTuke IOCs due to a naming similarity.
Filter/Exclusion: Exclude traffic to domains that are known to be used by legitimate monitoring tools or are part of the organization’s internal monitoring infrastructure.
Scenario: Internal development environment with similar artifact names
Description: A developer’s local environment or a CI/CD pipeline uses a file or artifact with a name similar to a KongTuke IOC, leading to a false positive.
Filter/Exclusion: Exclude file access or network traffic involving artifacts from internal development environments or CI/CD pipelines (e.g., jenkins, git, docker, or k8s related traffic).
Scenario: Legitimate API call to a third-party service
Description: A legitimate application makes an API call to