The ThreatFox: KongTuke IOCs rule detects potential adversary activity associated with the KongTuke threat group, which is linked to malicious network traffic and data exfiltration. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced persistent threats leveraging these IOCs before significant data loss or system compromise occurs.
IOC Summary
Malware Family: KongTuke Total IOCs: 5 IOC Types: url, domain
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| url | hxxps://keneedy.lol/file.js | payload_delivery | 2026-05-20 | 100% |
| domain | keneedy.lol | payload_delivery | 2026-05-20 | 100% |
| url | hxxps://keneedy.lol/api/v1/session | payload_delivery | 2026-05-20 | 100% |
| url | hxxps://keneedy.lol/api/v1/verify | payload_delivery | 2026-05-20 | 100% |
| url | hxxps://keneedy.lol/api/v1/status | payload_delivery | 2026-05-20 | 100% |
// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - KongTuke
let malicious_domains = dynamic(["keneedy.lol"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc// Hunt for access to known malicious URLs
// Source: ThreatFox - KongTuke
let malicious_urls = dynamic(["https://keneedy.lol/file.js", "https://keneedy.lol/api/v1/session", "https://keneedy.lol/api/v1/verify", "https://keneedy.lol/api/v1/status"]);
UrlClickEvents
| where Url has_any (malicious_urls)
| project Timestamp, AccountUpn, Url, ActionType, IsClickedThrough
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
DnsEvents | Ensure this data connector is enabled |
UrlClickEvents | Ensure this data connector is enabled |
Scenario: Legitimate scheduled job for system maintenance
Description: A scheduled job runs to clean up temporary files or logs, which may include paths or commands similar to those in the KongTuke IOCs.
Filter/Exclusion: Exclude events where the process is cleanmgr.exe or schtasks.exe and the command line includes clean or delete logs.
Scenario: Admin task using PowerShell for user management
Description: An administrator uses PowerShell to manage user accounts, which may involve commands or scripts that resemble malicious activity.
Filter/Exclusion: Exclude events where the process is powershell.exe and the command line includes Add-LocalUser, Set-LocalUser, or Get-LocalUser.
Scenario: Legitimate use of curl for API testing
Description: A developer uses curl to test an internal API endpoint, which may match the IOCs associated with KongTuke.
Filter/Exclusion: Exclude events where the process is curl and the URL contains internal domain names or IP addresses from the organization’s network.
Scenario: System update or patching process
Description: A system update or patching task runs, which may involve temporary files or scripts that look like malicious activity.
Filter/Exclusion: Exclude events where the process is wuauclt.exe (Windows Update) or msiexec.exe and the command line includes update, patch, or install.
Scenario: Legitimate use of netsh for network configuration
Description: An administrator uses netsh to configure firewall rules or network interfaces, which may trigger the rule due to command-line similarities.
Filter/Exclusion: Exclude events where the process is netsh.exe and the command line includes `