The ThreatFox: KongTuke IOCs rule detects potential adversary activity associated with the KongTuke threat group, which is linked to malicious network traffic and data exfiltration. SOC teams should proactively hunt for these IOCs in Azure Sentinel to identify and mitigate early-stage compromise by a sophisticated threat actor leveraging known malicious infrastructure.
IOC Summary
Malware Family: KongTuke Total IOCs: 4 IOC Types: url, domain
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| url | hxxps://diranda.lol/file.js | payload_delivery | 2026-06-05 | 100% |
| domain | diranda.lol | payload_delivery | 2026-06-05 | 100% |
| url | hxxps://diranda.lol/api/v1/session | payload_delivery | 2026-06-05 | 100% |
| url | hxxps://diranda.lol/api/v1/verify | payload_delivery | 2026-06-05 | 100% |
// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - KongTuke
let malicious_domains = dynamic(["diranda.lol"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc// Hunt for access to known malicious URLs
// Source: ThreatFox - KongTuke
let malicious_urls = dynamic(["https://diranda.lol/file.js", "https://diranda.lol/api/v1/session", "https://diranda.lol/api/v1/verify"]);
UrlClickEvents
| where Url has_any (malicious_urls)
| project Timestamp, AccountUpn, Url, ActionType, IsClickedThrough
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
DnsEvents | Ensure this data connector is enabled |
UrlClickEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Backup Job
Description: A legitimate scheduled job runs a backup script that uses a tool like rsync or tar to archive data, which may inadvertently match the IOC pattern due to similar command structures.
Filter/Exclusion: Exclude processes initiated by the system scheduler (e.g., cron, systemd-timedated, or at) or filter by command-line arguments containing backup, archive, or restore.
Scenario: Admin Task – User Account Management
Description: An administrator uses the useradd or usermod command to manage user accounts, which may include strings resembling malicious IOCs due to similar syntax.
Filter/Exclusion: Exclude processes with the root user or those initiated via the sudo command, or filter by command-line arguments containing useradd, usermod, or passwd.
Scenario: Log Rotation Using logrotate
Description: The logrotate utility is used to manage log files, and its configuration files may contain strings that match the IOC patterns due to similar formatting.
Filter/Exclusion: Exclude processes related to logrotate or filter by command-line arguments containing logrotate, rotate, or compress.
Scenario: Database Maintenance Task
Description: A database administrator runs a maintenance script using pg_dump (PostgreSQL) or mysqldump (MySQL), which may include command-line arguments that resemble malicious IOCs.
Filter/Exclusion: Exclude processes related to database tools (e.g., pg_dump, mysqldump, pg_restore) or filter by command-line arguments containing dump, backup, or restore.
Scenario: Network Monitoring Tool Configuration
Description: A network monitoring tool like tcpdump or `n