The ThreatFox: KongTuke IOCs rule detects potential adversary activity associated with the KongTuke threat group, which is linked to malicious network traffic and data exfiltration. SOC teams should proactively hunt for these IOCs in Azure Sentinel to identify and mitigate advanced persistent threat (APT) campaigns that may be leveraging compromised infrastructure to steal sensitive data.
IOC Summary
Malware Family: KongTuke Total IOCs: 7 IOC Types: domain, url
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| url | hxxps://hegmaen.com/file.js | payload_delivery | 2026-04-24 | 100% |
| domain | hegmaen.com | payload_delivery | 2026-04-24 | 100% |
| url | hxxps://hegmaen.com/t | payload_delivery | 2026-04-24 | 100% |
| url | hxxps://hegmaen.com/g | payload_delivery | 2026-04-24 | 100% |
| url | hxxps://hegmaen.com/c | payload_delivery | 2026-04-24 | 100% |
| url | hxxps://86hg23aljj9.com/d | payload_delivery | 2026-04-24 | 100% |
| domain | 86hg23aljj9.com | payload_delivery | 2026-04-24 | 100% |
// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - KongTuke
let malicious_domains = dynamic(["hegmaen.com", "86hg23aljj9.com"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc// Hunt for access to known malicious URLs
// Source: ThreatFox - KongTuke
let malicious_urls = dynamic(["https://hegmaen.com/file.js", "https://hegmaen.com/t", "https://hegmaen.com/g", "https://hegmaen.com/c", "https://86hg23aljj9.com/d"]);
UrlClickEvents
| where Url has_any (malicious_urls)
| project Timestamp, AccountUpn, Url, ActionType, IsClickedThrough
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
DnsEvents | Ensure this data connector is enabled |
UrlClickEvents | Ensure this data connector is enabled |
Scenario: Legitimate scheduled job for system maintenance
Description: A scheduled job runs using crontab to perform routine system maintenance, which includes executing a script that matches one of the KongTuke IOCs.
Filter/Exclusion: Exclude processes initiated by crontab or with USER field set to root and COMMAND matching known maintenance scripts.
Scenario: Admin task using PowerShell for log analysis
Description: An administrator uses PowerShell to analyze system logs, and the script includes a command that matches a KongTuke IOC.
Filter/Exclusion: Exclude processes with ProcessName equal to powershell.exe and CommandLine containing known log analysis tools or scripts.
Scenario: Legitimate use of tar for backup operations
Description: A backup process uses the tar command to archive files, and the command line includes a path or argument that matches a KongTuke IOC.
Filter/Exclusion: Exclude processes with ProcessName equal to tar and CommandLine containing known backup directories or scripts.
Scenario: Development environment using Docker for container orchestration
Description: A developer runs a Docker container that includes a script or command matching a KongTuke IOC as part of a CI/CD pipeline.
Filter/Exclusion: Exclude processes with ProcessName equal to docker or docker-compose and CommandLine containing known CI/CD tooling or development directories.
Scenario: System update using yum or apt
Description: A system update process using yum or apt includes a package or command that matches a KongTuke IOC due to a naming overlap.
Filter/Exclusion: Exclude processes with ProcessName equal to yum or apt