The ThreatFox: KongTuke IOCs rule detects potential adversary activity linked to the KongTuke threat group, which is associated with malware distribution and command and control operations. SOC teams should proactively hunt for these IOCs in Azure Sentinel to identify and mitigate early-stage compromise attempts by this sophisticated threat actor.
IOC Summary
Malware Family: KongTuke Total IOCs: 5 IOC Types: url, domain
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| url | hxxps://abernaehy.lol/api/v1/status | payload_delivery | 2026-05-19 | 100% |
| url | hxxps://abernaehy.lol/api/v1/session | payload_delivery | 2026-05-19 | 100% |
| url | hxxps://abernaehy.lol/api/v1/verify | payload_delivery | 2026-05-19 | 100% |
| domain | abernaehy.lol | payload_delivery | 2026-05-19 | 100% |
| url | hxxps://abernaehy.lol/file.js | payload_delivery | 2026-05-19 | 100% |
// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - KongTuke
let malicious_domains = dynamic(["abernaehy.lol"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc// Hunt for access to known malicious URLs
// Source: ThreatFox - KongTuke
let malicious_urls = dynamic(["https://abernaehy.lol/api/v1/status", "https://abernaehy.lol/api/v1/session", "https://abernaehy.lol/api/v1/verify", "https://abernaehy.lol/file.js"]);
UrlClickEvents
| where Url has_any (malicious_urls)
| project Timestamp, AccountUpn, Url, ActionType, IsClickedThrough
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
DnsEvents | Ensure this data connector is enabled |
UrlClickEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Backup Job
Description: A legitimate scheduled job runs a backup script that uses a tool like rsync or tar to archive system files, which may inadvertently match the IOC pattern due to similar string formatting.
Filter/Exclusion: Exclude processes initiated by the system scheduler (e.g., cron, systemd-timedated, or at), or filter by command-line arguments containing backup, archive, or restore.
Scenario: Admin Task – User Account Management
Description: An administrator uses a tool like usermod or passwd to modify user accounts, which may trigger the rule if the command includes strings similar to the KongTuke IOCs.
Filter/Exclusion: Exclude processes with the root user or those containing keywords like user, passwd, or modify in the command line.
Scenario: Log Rotation Using Logrotate
Description: The logrotate utility is used to manage log files, and its configuration files or commands may contain strings that match the KongTuke IOC patterns.
Filter/Exclusion: Exclude processes related to logrotate or files in the /etc/logrotate.d/ directory, or filter by command-line arguments containing rotate, compress, or rotate.
Scenario: Database Maintenance Task with pg_dump
Description: A database administrator runs pg_dump to back up a PostgreSQL database, and the command line may include strings that resemble the KongTuke IOCs.
Filter/Exclusion: Exclude processes related to PostgreSQL (pg_dump, psql, etc.) or filter by command-line arguments containing backup, dump, or restore.
Scenario: Network Monitoring Tool with tcpdump
Description: A network analyst uses `tcpdump