The ThreatFox: KongTuke IOCs rule detects potential adversary activity associated with the KongTuke threat group, which is linked to malicious network traffic and command-and-control communications. SOC teams should proactively hunt for these IOCs in Azure Sentinel to identify and mitigate early-stage compromises from advanced persistent threats leveraging known malicious infrastructure.
IOC Summary
Malware Family: KongTuke Total IOCs: 14 IOC Types: domain, url
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| domain | onefunnydog.com | botnet_cc | 2026-06-06 | 100% |
| domain | lowfoodanddrink.com | botnet_cc | 2026-06-06 | 100% |
| domain | u9ppj9u3hfphtv7.top | botnet_cc | 2026-06-06 | 100% |
| domain | vednb0n9eo7pn6z.top | botnet_cc | 2026-06-06 | 100% |
| domain | vj2k4sffbxpxhhr.top | botnet_cc | 2026-06-06 | 100% |
| domain | gm0vmvr1kt1i1n8.top | botnet_cc | 2026-06-06 | 100% |
| url | hxxps://loureiru.lol/file.js | payload_delivery | 2026-06-06 | 100% |
| domain | loureiru.lol | payload_delivery | 2026-06-06 | 100% |
| url | hxxps://loureiru.lol/api/v1/session | payload_delivery | 2026-06-06 | 100% |
| url | hxxps://loureiru.lol/api/v1/verify | payload_delivery | 2026-06-06 | 100% |
| url | hxxps://loureiru.lol/api/v1/status | payload_delivery | 2026-06-06 | 100% |
| url | hxxps://diranda.lol/api/v1/status | payload_delivery | 2026-06-06 | 100% |
| url | hxxps://captcha-checkpoint.top/o | payload_delivery | 2026-06-06 | 100% |
| domain | captcha-checkpoint.top | payload_delivery | 2026-06-06 | 100% |
// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - KongTuke
let malicious_domains = dynamic(["onefunnydog.com", "lowfoodanddrink.com", "u9ppj9u3hfphtv7.top", "vednb0n9eo7pn6z.top", "vj2k4sffbxpxhhr.top", "gm0vmvr1kt1i1n8.top", "loureiru.lol", "captcha-checkpoint.top"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc// Hunt for access to known malicious URLs
// Source: ThreatFox - KongTuke
let malicious_urls = dynamic(["https://loureiru.lol/file.js", "https://loureiru.lol/api/v1/session", "https://loureiru.lol/api/v1/verify", "https://loureiru.lol/api/v1/status", "https://diranda.lol/api/v1/status", "https://captcha-checkpoint.top/o"]);
UrlClickEvents
| where Url has_any (malicious_urls)
| project Timestamp, AccountUpn, Url, ActionType, IsClickedThrough
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
DnsEvents | Ensure this data connector is enabled |
UrlClickEvents | Ensure this data connector is enabled |
Scenario: Scheduled Job for Log Rotation
Description: A legitimate scheduled job runs to rotate and archive logs, which may involve file access patterns similar to those seen in the KongTuke IOC.
Filter/Exclusion: Exclude processes related to log rotation tools like logrotate or rsyslog with command-line arguments containing rotate or archive.
Scenario: Admin Task for Configuration Backup
Description: An administrator performs a routine backup of configuration files, which may involve copying or moving files that match the IOC patterns.
Filter/Exclusion: Exclude processes initiated by admin users with elevated privileges and command lines containing backup, copy, or scp.
Scenario: Kubernetes Pod Management
Description: A Kubernetes cluster may have pods that are being managed or deleted, which could involve file system operations that resemble IOC activity.
Filter/Exclusion: Exclude processes associated with kubectl or kubeadm with actions like delete, scale, or rollout.
Scenario: Database Maintenance Task
Description: A database maintenance script runs to clean up old data or optimize tables, which may involve file system access that matches the IOC.
Filter/Exclusion: Exclude processes related to database tools like mysqldump, pg_dump, or sqlcmd with arguments containing backup, clean, or optimize.
Scenario: Software Update or Patch Deployment
Description: A patch or update process is deployed across the network, which may involve file transfers or installations that trigger the IOC detection.
Filter/Exclusion: Exclude processes initiated by update management tools like Ansible, Chef, or Puppet with command lines containing update, patch, or install.