The detection identifies potential adversary activity involving malicious URLs associated with the KongTuke threat group, which is known for deploying malware through compromised websites. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage compromises and prevent lateral movement within the network.
IOC Summary
Threat: KongTuke Total URLs: 2 Active URLs: 0
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://87.232.123.174/f | offline | malware_download | 2026-06-08 |
hxxp://87.232.123.174/p | offline | malware_download | 2026-06-08 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: KongTuke
let malicious_domains = dynamic(["87.232.123.174"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["87.232.123.174"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: A system administrator is manually testing a URL from URLhaus as part of a security training exercise.
Filter/Exclusion: Exclude URLs that match the urlhaus tag or are part of a known training environment.
Scenario: A scheduled job runs a script that fetches and processes URLs from URLhaus for threat intelligence purposes.
Filter/Exclusion: Exclude URLs that are part of a known threat intelligence ingestion process or tagged with urlhaus.
Scenario: A developer is using KongTuke as a legitimate tool for internal API testing and has configured it to use a malicious-looking URL for validation.
Filter/Exclusion: Exclude URLs that are associated with internal development tools like KongTuke or are part of a test environment.
Scenario: A security team is using a SIEM tool to monitor for malicious activity and has configured a rule that alerts on URLs matching the KongTuke pattern.
Filter/Exclusion: Exclude URLs that are part of SIEM configuration or monitoring tools like Splunk or ELK, or are tagged as siem.
Scenario: A DevOps pipeline includes a step that downloads and validates URLs from URLhaus as part of a CI/CD security check.
Filter/Exclusion: Exclude URLs that are part of a CI/CD pipeline or tagged with ci_cd or pipeline.