← Back to SOC feed Coverage →

ThreatFox: KongTuke IOCs

ioc-hunt HIGH ThreatFox
DnsEventsUrlClickEvents
iocjs-kongtukethreatfox
This detection content is auto-generated from open-source rule repositories and enriched with AI analysis. Always validate rules in a test environment before deploying to production Sentinel workspaces.
View original rule at ThreatFox →
Retrieved: 2026-03-19T03:46:59Z · Confidence: high

Hunt Hypothesis

Hunt package for 2 IOCs associated with KongTuke

IOC Summary

Malware Family: KongTuke Total IOCs: 2 IOC Types: domain, url

TypeValueThreat TypeFirst SeenConfidence
urlhxxps://afshapiro.com/searchpayload_delivery2026-03-18100%
domainafshapiro.compayload_delivery2026-03-18100%

KQL: Domain Hunt

// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - KongTuke
let malicious_domains = dynamic(["afshapiro.com"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc

KQL: Url Hunt

// Hunt for access to known malicious URLs
// Source: ThreatFox - KongTuke
let malicious_urls = dynamic(["https://afshapiro.com/search"]);
UrlClickEvents
| where Url has_any (malicious_urls)
| project Timestamp, AccountUpn, Url, ActionType, IsClickedThrough
| order by Timestamp desc

Required Data Sources

Sentinel TableNotes
DnsEventsEnsure this data connector is enabled
UrlClickEventsEnsure this data connector is enabled

References

Original source: https://threatfox.abuse.ch/browse/malware/js.kongtuke/