The ThreatFox: KongTuke IOCs rule detects potential adversary activity associated with the KongTuke threat group, which is linked to malicious network traffic and data exfiltration. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced persistent threats leveraging these IOCs before significant data loss or system compromise occurs.
IOC Summary
Malware Family: KongTuke Total IOCs: 8 IOC Types: domain, url
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| url | hxxps://eellner.lol/file.js | payload_delivery | 2026-05-25 | 100% |
| domain | eellner.lol | payload_delivery | 2026-05-25 | 100% |
| url | hxxps://eellner.lol/api/v1/session | payload_delivery | 2026-05-25 | 100% |
| url | hxxps://eellner.lol/api/v1/verify | payload_delivery | 2026-05-25 | 100% |
| url | hxxps://schluter.lol/file.js | payload_delivery | 2026-05-25 | 100% |
| domain | schluter.lol | payload_delivery | 2026-05-25 | 100% |
| url | hxxps://schluter.lol/api/v1/session | payload_delivery | 2026-05-25 | 100% |
| url | hxxps://schluter.lol/api/v1/verify | payload_delivery | 2026-05-25 | 100% |
// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - KongTuke
let malicious_domains = dynamic(["eellner.lol", "schluter.lol"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc// Hunt for access to known malicious URLs
// Source: ThreatFox - KongTuke
let malicious_urls = dynamic(["https://eellner.lol/file.js", "https://eellner.lol/api/v1/session", "https://eellner.lol/api/v1/verify", "https://schluter.lol/file.js", "https://schluter.lol/api/v1/session", "https://schluter.lol/api/v1/verify"]);
UrlClickEvents
| where Url has_any (malicious_urls)
| project Timestamp, AccountUpn, Url, ActionType, IsClickedThrough
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
DnsEvents | Ensure this data connector is enabled |
UrlClickEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Backup Job
Description: A legitimate scheduled backup job uses a script that matches one of the KongTuke IOCs (e.g., a command-line tool or script name).
Filter/Exclusion: Exclude processes initiated by the backup scheduler (e.g., schtasks.exe or at.exe) or check for presence of backup directories (e.g., C:\Backup\).
Scenario: Admin Task - User Management Script
Description: An admin runs a script to manage user accounts, which includes a command or file path matching a KongTuke IOC.
Filter/Exclusion: Exclude processes started by the local administrator account or check for presence of user management tools (e.g., Active Directory Users and Computers).
Scenario: Log Collection Tool Using Known IOC
Description: A log collection tool (e.g., Splunk, ELK Stack) uses a known IOC in its configuration or scripts for logging purposes.
Filter/Exclusion: Exclude processes associated with log collection tools or check for presence of log management directories (e.g., C:\Logs\).
Scenario: DevOps Pipeline Artifact Download
Description: A CI/CD pipeline (e.g., Jenkins, GitLab CI) downloads a package or artifact that contains a KongTuke IOC as part of its build process.
Filter/Exclusion: Exclude processes initiated by CI/CD agents or check for presence of build directories (e.g., C:\Jenkins\workspace\).
Scenario: Network Monitoring Tool with Known IOC
Description: A network monitoring tool (e.g., Wireshark, tcpdump) includes a known IOC in its configuration or scripts for packet analysis.
Filter/Exclusion: Exclude processes associated with network monitoring tools or check for presence of