The ThreatFox: KongTuke IOCs rule detects potential adversary activity linked to the KongTuke threat group, which is associated with high-severity malicious behavior. SOC teams should proactively hunt for these IOCs in Azure Sentinel to identify and mitigate early-stage compromises before they escalate.
IOC Summary
Malware Family: KongTuke Total IOCs: 2 IOC Types: domain, url
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| url | hxxps://afshapiro.com/search | payload_delivery | 2026-03-18 | 100% |
| domain | afshapiro.com | payload_delivery | 2026-03-18 | 100% |
// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - KongTuke
let malicious_domains = dynamic(["afshapiro.com"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc// Hunt for access to known malicious URLs
// Source: ThreatFox - KongTuke
let malicious_urls = dynamic(["https://afshapiro.com/search"]);
UrlClickEvents
| where Url has_any (malicious_urls)
| project Timestamp, AccountUpn, Url, ActionType, IsClickedThrough
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
DnsEvents | Ensure this data connector is enabled |
UrlClickEvents | Ensure this data connector is enabled |
Scenario: Scheduled Job for Log Rotation
Description: A legitimate scheduled job runs to rotate and archive logs, which may include files matching the IOC pattern.
Filter/Exclusion: process.name != "logrotate" or process.name != "rsyslogd"
Scenario: Admin Task for System Monitoring
Description: An administrator uses a tool like tcpdump or Wireshark to monitor network traffic for troubleshooting purposes.
Filter/Exclusion: process.name != "tcpdump" or process.name != "wireshark"
Scenario: Kubernetes Pod Initialization
Description: A Kubernetes pod is initializing and temporarily creates files or processes that match the IOC pattern during setup.
Filter/Exclusion: process.parent.name == "kubelet" or process.parent.name == "kubeadm"
Scenario: Database Backup Job
Description: A database backup tool like mysqldump or pg_dump is running and generates temporary files that may match the IOC.
Filter/Exclusion: process.name != "mysqldump" or process.name != "pg_dump"
Scenario: CI/CD Pipeline Artifact Download
Description: A CI/CD tool like Jenkins or GitLab CI downloads artifacts, which may include files with names matching the IOC.
Filter/Exclusion: process.name != "java" (for Jenkins) or process.name != "gitlab-runner"