The ThreatFox: KongTuke IOCs rule detects potential adversary activity associated with the KongTuke threat group, which is linked to malicious network traffic and data exfiltration. SOC teams should proactively hunt for these IOCs in Azure Sentinel to identify and mitigate early-stage compromises and prevent lateral movement within the network.
IOC Summary
Malware Family: KongTuke Total IOCs: 9 IOC Types: domain, url
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| domain | tiixeira.lol | botnet_cc | 2026-06-04 | 100% |
| url | hxxps://tiixeira.lol/m | botnet_cc | 2026-06-04 | 100% |
| url | hxxps://rueckec.lol/api/v1/status | payload_delivery | 2026-06-04 | 100% |
| url | hxxps://confirmyouarehuman.top/o | payload_delivery | 2026-06-04 | 100% |
| domain | confirmyouarehuman.top | payload_delivery | 2026-06-04 | 100% |
| url | hxxps://rueckec.lol/file.js | payload_delivery | 2026-06-04 | 100% |
| domain | rueckec.lol | payload_delivery | 2026-06-04 | 100% |
| url | hxxps://rueckec.lol/api/v1/session | payload_delivery | 2026-06-04 | 100% |
| url | hxxps://rueckec.lol/api/v1/verify | payload_delivery | 2026-06-04 | 100% |
// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - KongTuke
let malicious_domains = dynamic(["tiixeira.lol", "confirmyouarehuman.top", "rueckec.lol"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc// Hunt for access to known malicious URLs
// Source: ThreatFox - KongTuke
let malicious_urls = dynamic(["https://tiixeira.lol/m", "https://rueckec.lol/api/v1/status", "https://confirmyouarehuman.top/o", "https://rueckec.lol/file.js", "https://rueckec.lol/api/v1/session", "https://rueckec.lol/api/v1/verify"]);
UrlClickEvents
| where Url has_any (malicious_urls)
| project Timestamp, AccountUpn, Url, ActionType, IsClickedThrough
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
DnsEvents | Ensure this data connector is enabled |
UrlClickEvents | Ensure this data connector is enabled |
Scenario: Scheduled Job for Log Rotation
Description: A legitimate scheduled job runs to rotate and archive logs, which may trigger the detection due to file access patterns.
Filter/Exclusion: process.name != "logrotate" or process.parent.name != "systemd"
Scenario: Admin Task – System Update via Puppet
Description: An admin is performing a system update using Puppet, which may involve downloading or executing scripts that match the IOC patterns.
Filter/Exclusion: process.name != "puppet" or process.args !~ /--no-color/
Scenario: Database Backup Using mysqldump
Description: A database backup process using mysqldump may generate temporary files or use command-line arguments that resemble malicious IOCs.
Filter/Exclusion: process.name != "mysqldump" or process.args !~ /--single-transaction/
Scenario: CI/CD Pipeline Artifact Download
Description: A CI/CD pipeline (e.g., Jenkins, GitLab CI) downloads artifacts from a secure internal repository, which may trigger the rule due to URL or file patterns.
Filter/Exclusion: process.name != "java" or process.args !~ /-jar\s+jenkins.war/
Scenario: Network Monitoring Tool (e.g., Wireshark) Capturing Traffic
Description: A network monitoring tool captures traffic that includes benign payloads or IP addresses matching the IOC list.
Filter/Exclusion: process.name != "tshark" or process.args !~ /--capture-filter/