The ThreatFox: KongTuke IOCs rule detects potential adversary activity associated with the KongTuke threat group, which is linked to malicious network traffic and command-and-control communications. SOC teams should proactively hunt for these IOCs in Azure Sentinel to identify and mitigate early-stage compromises by this advanced threat actor.
IOC Summary
Malware Family: KongTuke Total IOCs: 14 IOC Types: url, domain
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| url | hxxps://ryfsowiu.icu/d | payload_delivery | 2026-05-26 | 100% |
| domain | ryfsowiu.icu | payload_delivery | 2026-05-26 | 100% |
| url | hxxps://hartunh.lol/api/v1/status | payload_delivery | 2026-05-26 | 100% |
| url | hxxps://cdnmlmdptb.icu/d | payload_delivery | 2026-05-26 | 100% |
| domain | cdnmlmdptb.icu | payload_delivery | 2026-05-26 | 100% |
| url | hxxps://eegelhardt.lol/file.js | payload_delivery | 2026-05-26 | 100% |
| domain | eegelhardt.lol | payload_delivery | 2026-05-26 | 100% |
| url | hxxps://eegelhardt.lol/api/v1/session | payload_delivery | 2026-05-26 | 100% |
| url | hxxps://eegelhardt.lol/api/v1/verify | payload_delivery | 2026-05-26 | 100% |
| url | hxxps://hartunh.lol/api/v1/verify | payload_delivery | 2026-05-26 | 100% |
| url | hxxps://hartunh.lol/file.js | payload_delivery | 2026-05-26 | 100% |
| domain | hartunh.lol | payload_delivery | 2026-05-26 | 100% |
| url | hxxps://hartunh.lol/api/v1/session | payload_delivery | 2026-05-26 | 100% |
| url | hxxps://eegelhardt.lol/api/v1/status | payload_delivery | 2026-05-26 | 100% |
// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - KongTuke
let malicious_domains = dynamic(["ryfsowiu.icu", "cdnmlmdptb.icu", "eegelhardt.lol", "hartunh.lol"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc// Hunt for access to known malicious URLs
// Source: ThreatFox - KongTuke
let malicious_urls = dynamic(["https://ryfsowiu.icu/d", "https://hartunh.lol/api/v1/status", "https://cdnmlmdptb.icu/d", "https://eegelhardt.lol/file.js", "https://eegelhardt.lol/api/v1/session", "https://eegelhardt.lol/api/v1/verify", "https://hartunh.lol/api/v1/verify", "https://hartunh.lol/file.js", "https://hartunh.lol/api/v1/session", "https://eegelhardt.lol/api/v1/status"]);
UrlClickEvents
| where Url has_any (malicious_urls)
| project Timestamp, AccountUpn, Url, ActionType, IsClickedThrough
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
DnsEvents | Ensure this data connector is enabled |
UrlClickEvents | Ensure this data connector is enabled |
Scenario: Legitimate scheduled job for KongTuke configuration backup
Description: A scheduled job runs to back up KongTuke configuration files, which may include known IOCs in the detection logic.
Filter/Exclusion: process.name != "backup_script.sh" OR process.args NOT LIKE "%kongtuke_config_backup%"
Scenario: Admin task to update KongTuke plugins using the CLI
Description: An administrator uses the KongTuke CLI to update plugins, which may trigger the detection rule due to command-line arguments matching IOCs.
Filter/Exclusion: process.name != "kongtuke-cli" OR process.args NOT LIKE "%update-plugin%"
Scenario: Regular system monitoring tool logging KongTuke activity
Description: A system monitoring tool logs KongTuke-related events, such as API gateway activity, which may include IOCs from the detection rule.
Filter/Exclusion: process.name != "monitoring_tool" OR process.args NOT LIKE "%kongtuke_activity%"
Scenario: Development environment testing KongTuke with mock data
Description: Developers use KongTuke in a test environment with mock data, which may contain IOCs that match the detection rule.
Filter/Exclusion: process.name != "kongtuke_dev" OR process.args NOT LIKE "%mock_data%"
Scenario: Log analysis tool parsing KongTuke access logs
Description: A log analysis tool processes KongTuke access logs, which may include IP addresses or endpoints that match the IOCs in the rule.
Filter/Exclusion: process.name != "log_analyzer" OR process.args NOT LIKE "%kongtuke_access_logs%"